sending emails from KAMAR

[WHS Ict Technician]

our kamar email sending just broke.

I'm assuming it is because google finally closed all the security holes they've been going on about for years.

We can no longer send from individual users, only from kamar itself.

I've tried a lot of things - GAFE is set up to accept relay smtp without auth (https://support.google.com/a/answer/2956491?hl=en), and i've gone through all the options here: https://support.google.com/a/answer/176600?hl=en

No luck. It appears that kamar is using insecure methods to communicate with google, so the only way to get it to work is to ask all staff to turn off modern security. This is the response when we don't get an SSL failure or some other error:

	Hi westland high, Someone just tried to sign in to your Google Account <redacted> from an app that doesn't meet modern security standards. Details: Wednesday, November 11, 2015 10:53 AM (New Zealand Daylight Time) Hokitika, New Zealand* We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable. Learn more. Google stopped this sign-in attempt, but you should review your recently used devices:

KAMAR's only response so far has been to tell me to turn off proper security setting in google.

Anyone else have any clever ideas?

[Mike Etheridge]

Are you on N4L? You could use their (unresponsive buggy) relay

relay.n4l.co.nz

Mike

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[flow in]

not on n4l yet. with spark

[Patrick Dunford]

That's what we use. I don't know if it has problems but I haven't had any complaints about sending email from Kamar. It's mostly the text service that they seem to have issues with.

[Patrick Dunford]

Use the Xtra server then. It's about on a par with N4L which is probably why their one sucks

On 11/11/2015 11:50 AM, flow in wrote:

not on n4l yet. with spark

[Keith Craig]

We use office 365 as our main email system but also have a Google domain. I tested using Google with a copy of our Kamar database running locally on my Mac. Like you said I had to allow the less secure methods on my Google account. The other way to try is untick “Use KAMAR to send Individual E-mails”. KAMAR then sends the message via the email client of the local user. We use this setting by default.

Keith Craig BCom PGDipBus(IS) CNE
Systems Administrator 

Phone +64 9 5231060 x843 Mobile +64 (0) 21541549

[Alistair Baird]

I have set up a separate (virtual) linux mail host that accepts emails from all our 'devices' like Kamar, printers (for scanning), printer server for quota limits, printers for automatic toner ordering, server monitoring alerts, UPS, voicemail from PABX etc. It accepts email from any host on the local LAN and sends it securely out using TLS/SSL to N4L's mail server. It also means all outgoing mail is channeled through one account and I only have one place to change it. Because you are on Spark/Telecom/N4L, your best bet is to go through their smtp server.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 990 259

e bai...@stpeterspn.school.nz

[Craig Knights]

We use hmail on windows to relay too.

Ta
Craig

[WHS Ict Technician]

we really want the emails to come _from_ the user.

Since we use macs and web based gmail, we are finding that using the local clients instead of kamar to send isn't working either (not sure how to force a mac to use webmail, keeps opening local apple mail), and we don't want to allow less secure apps unilaterally. (since it is a security risk).

I wish Kamar would implement OAuth 2.0

[WHS Ict Technician]

managed to get it to work. I hadn't been patient enough waiting for the smtp-relay settings in GAFE to propagate.

1) set up smtp-relay in Gafe, no auth, no TLS (neither work, due to lack of oauth and SSL issues), restrict to your externally visible IP (not your assigned IP addresses, but the PTP ones)

2) set up kamar to send to smtp-relay.gmail.com, port 25, no ssl or tls

still horrible (lack of ssl and tls) but allows your users to still have 2 factor auth on,  less secure apps disabled  and still send from Kamar

[Andrew Godfrey]

On-site relay on to google used here.

We tried relaying on to N4L which was faster than google but there were more delivery failures.

Our relay has two queues so that large Kamar mailings don't hold up scan-to-email and other server notifications. (Kamar: smtp port 125, Other servers: smtp port 25)

_______________________________________

 

Andrew Godfrey  |  Network Manager

[Pete Mundy]

Don't stress it. That stuff is mostly just dropped at the first MTA the message passes through anyway.

Pete

[Patrick Dunford]

I've got a similar problem with another application we run on our system, that has stopped being able to log into a Google mailbox using IMAP over SSL. Oauth is not supported by it.

Not so long ago if you had 2-factor authentication turned on in your Gmail account settings, it was possible to generate application specific passwords so that applications that didn't support 2-factor could still be used. I wonder if this is still a possibility as it may be a workaround for the lack of oauth support as well, or if Google has now dropped application specific passwords.

It looks like I am having a problem with n4l's smtp server this time as well so I may have to take a look at the smtp relay for Google.

[Kees Fransen]

Hi Guys,

It looks like Google has finished rolling out the security enhancement which include disabling SMTP auth using a password.

The announcement: http://googleappsupdates.blogspot.co.nz/2015/09/block-access-to-less-secure_15.html if you haven't seen it. The main pain point to this is that, AFAIK the setting needs to be toggled manually for each user. https://support.google.com/accounts/answer/6010255

As others have recommended, setting up a local server to relay via Google SMTP, N4L or even Mandrill is a better option long term. I noted a marked improvement on the speed of bulk email when sending via KAMARas a locol postfix can accept a large amount of mail locally and queue it to your relay. This then frees the workstation up a lot sooner

Cheers,

Kees
ITed Services

[Kees Fransen]

Sorry, I forgot to mention that we have no issues with port 587 with StartTLS or port 465 with SSL using smtp.gmail.com in KAMAR. All it took to fix the immediate issue was to enable the "Allow less secure apps" setting.

Cheers,
Kees

[WHS Ict Technician]

I think you missed the thread.

"All it took to fix the immediate issue was to enable the "Allow less secure apps" setting."

is not acceptable. There's a reason that google doesn't want us to use less secure apps.


fix is:

1) set up smtp-relay in Gafe, no auth, no TLS (neither work, due to lack of oauth and SSL issues), restrict to your externally visible IP (not your assigned IP addresses, but the PTP ones)

2) set up kamar to send to smtp-relay.gmail.com, port 25, no ssl or tls

still horrible (lack of ssl and tls) but allows your users to still have 2 factor auth on,  less secure apps disabled  and still send from Kamar

[WHS Ict Technician]

long term solution is providers such as Kamar implementing oauth2

[Jonathan Webster]

We've been upgrading our mail relay service over the last while and very soon will be introducing geographic redundancy as standard, as well as a dedicated relay tuned for the sending of bulk email. 

The testing we've done so far is looking good, so we'll be announcing the changes/upgrades formally shortly

-- 

Jonathan Webster 
Senior Engineer - Infrastructure, The Network for Learning Ltd

M: +64 22 040 3300
P: PO Box 37118, Parnell, Auckland 1151
W: http://www.n4l.co.nz

[Patrick Dunford]

We abandoned a local mail server a long, long time ago as it had no
reputation capability so blacklists became a problem.