Search code examples
androidgmailopenidjakarta-mailyahoo

Send bulk mails using java mail API or any other language without storing user password on server

I don't know what should be the appropriate title for that question , but summary of my question is below.

I am developing an android app where user have to email on various email id's of different mail server in just 1 click. Now , my application design is like when user click to send mail's . first , the query of user will hit my web service that is running on remote server.This web service will send emails on different id's of different server. And i have tried java mail API using ssl, but to send mails , we have to pass username and password both as parameters. Now , my question is should I save password of different user on my web server.Because I think this will be security breach for user. And i think we can not send mail without password using java mail API.if yes, than how? I've also heard about open id , but it is just for authentication i think.Or may I use open id concept for sending mail also without storing password.If yes than how?

Solution

  • There area couple of concepts that may help you to identify what you can and what you can't do ...

    SMTP current situation

    Nowadays all SMTP servers (these are the servers that receive and deliver the emails) used the ESMTP standard and require user authentication. The reason for this, is to avoid the usage of these servers to send spam on user behalf.

    What can you do

    So, as starting point, to have access to a trusted email server, you need valid user credentials.

    You have two main options:

    1. Use your own email account, with your credentials and set the fields replyTo and sentFrom to the user email account. The final result may depend on the email provider and email client used by the person receiving the email, as some of them may classify the message as spam.

    2. Use the user own credentials. You say in your question that user starts by connecting to your server, so you can request the user login and password by then and you don't need to store it in your server. To avoid user typing the password everytime, the user enters the login and password in your app just once, you store it localy (preferably encrypted), and the credentials are sent everytime (again preferably encrypted), user connects to your server to send the email.

    With any of the above approachs you are reducing the risk of disclosing the user mail credentials.

    Regards.