The Evolution of Email SMTP Security
Every year there is a call to include SMTP support as part of WordPress. This won’t happen. Like HTML, SMTP is a moving target. First there was SSL, then TLS, then StartTLS, then Application-specific passwords. The latest is OAuth, the darling authentication method of Web 2.0. In the case of WordPress, that’s a lot outside of the core focus to keep on top of.
OAuth, and more recently OAuth 2.0, is a method of authentication that involves a user granting access to their data from a server to a third party application. Once the user provides consent, a token is generated which the third party application uses to gain access, perhaps once, perhaps forever. Even if you’ve never heard of OAuth, you’ve probably used it. The ubiquitous ‘Sign in with your Facebook Id’ is one example of client applications requesting access to your (Facebook) data.
When Gmail becomes the Bermuda Triangle of e-Mail
Gmail has supported OAuth as an authentication method for several years now. In mid-2014 Google began disallowing traditional SSL/TLS authentication and blocking apps that “do not use modern security standards.”
I was one of the users impacted by their changes. I had no idea that my website could no longer send out email until I tried to use the Forgot Password link and never received a response! I discovered that the messages were still being accepted by Gmail (so no errors appeared in WordPress). But once Gmail had a hold of them, they were simply dropped without warning. If you use WordPress as a means for new customers to contact you, you will realize that this is a small crisis.
The solution – Gmail with SMTP OAuth 2.0
Out of the box, WordPress uses PHPMailer, a library that sends mail via the server’s local SMTP daemon. If you want something more you’ll need to install a plugin. There are over 172 WordPress SMTP Plugins that promise the ability to send email to a user-specified server, but not one of them supports OAuth.
So I spent a week-end reading everything I could on OAuth 2.0 and created the 173rd WordPress SMTP plugin, Postman: a WordPress OAuth 2.0 SMTP plugin.
Beside the obvious benefit of “hey I can send mail again!” using OAuth 2.0 gives a WordPress administrator/blogger some additional benefits:
- You never have to give out your Google password. I’m not a fan of entering my ‘private’ credentials into third-party software, and using OAuth means not heaving to do that.
- As a consequence of the previous point, once OAuth is configured, WordPress can send mail forever, even if my password changes. I won’t have to update every one of my sites when it does.
- The token that the application receives is narrow-focused. It can only be used to access the data that it was authorized it for, in this case that’s Gmail and not, say, Google Docs.
Postman offers a setup wizard for easy configuration, integrated TCP port testing for troubleshooting firewall issues imposed by your host, and of course OAuth 2.0 authentication for those of you with a Gmail or (coming soon) Hotmail account.