search

aaronpk / indielogin.com

Sign in with your domain name
https://indielogin.com
MIT License
155 stars 25 forks source link

Email not received #32

Closed filips123 closed 5 years ago

filips123 commented 5 years ago

Emails with one-time code are not received when using login with email.

iamwebrocker commented 5 years ago

+1

aaronpk commented 5 years ago

Check your spam folder. I've tried to do all the right DKIM/SPF stuff to get the emails delivered, but some providers are still marking them as spam.

iamwebrocker commented 5 years ago

Hi Aaron, thx for looking/taking the time here :-) there's nothing in the spam folder, but I suspect that my provider already does some filtering at the mailserver level, before "my" account level settings and then local settings will be applied. Had "fun" with SPF related bounces just recently.

jlelse commented 5 years ago

On my server the mail get's rejected: Sender address rejected: Domain not found

So it seems like the Mailgun setup isn't correct. There is no domain record for mail.indielogin.com.

jlelse commented 5 years ago

@aaronpk Could you please just add this one DNS entry? 🙈 I think the Mailgun docs tell what to point it to.

aaronpk commented 5 years ago

I don't see anything in the Mailgun docs about this, and Mailgun says all the necessary DNS is added. But now that you mention, it I think I've hit this issue before with other domains. It looks like some mail servers do an A/CNAME record lookup on the domain, even though that absolutely isn't required for email to be delivered.

In any case, I've added this DNS record so hopefully this should go away soon.

iamwebrocker commented 5 years ago

Hi Aaron,

thank you, it now works for me - received the email, all good now. 👍

filips123 commented 5 years ago

@aaronpk It also works for me. However, email often goes to spam. Can you also fix this?

Also, is it secure to only use 4-char code? Couldn't this be brute-forced in only a few seconds?

aaronpk commented 5 years ago

Thanks, glad the emails are getting through now. I don't really have any control over whether they end up in spam other than doing these fixes like adding DNS entries and DKIM/SPF records and such. Other than that the best thing you can do is keep moving them out of spam to train your spam filters.

the 4 digit code requires entering it in the same browser that initiated the request, so it can't be brute forced really. The browser holds on to a separate session token during the flow, so the code by itself is useless.

This also means you can't start the flow on one device and finish it on another device, which was an intentional design decision even if that would be convenient.

aaronpk commented 5 years ago

I'm going to close the issue since it sounds like the original problem has been resolved. Thanks for helping me track it down!

filips123 commented 5 years ago

I don't really have any control over whether they end up in spam other than doing these fixes like adding DNS entries and DKIM/SPF records and such.

Can you also try to add that DNS entries?

the 4 digit code requires entering it in the same browser that initiated the request, so it can't be brute forced really.

What if the attacker enters site URL, chooses to log in with the email and then tries all possible combinations in the same session?

aaronpk commented 5 years ago

That DNS entry is the one brought up here. I don't know of any other anti-spam techniques now.

Let's discuss the brute force issue in a separate thread.