Could someone give me a hint, how I use a PowerShell script to send an email through my gmail account without being prompted for my credentials every time and *without saving my password anywhere in plain text?
Background: I’m mointoring my duplicacy logs for errors using select-string and would like to send an email if an error is found. I have managed to send the email manually, but it only works if I enter my credentials manually every time.
Slightly orthogonal answer - but you will have to store some credentials somewhere to authenticate to the SMTP server. Using application passwords is just a tiny bit better.
What I would do instead, use a service like Amazon SES or MailGun, designed to send mail on behalf of your domain. SES cost pennies, and MailGun is free for 1000 emails per month, and then also pennies per 1000 of emails.
Then setup a IAM user that is only allowed to send email. And store that user’s credentials in plain text if you want.
Yes, but I was assuming that it should be possible to let Windows take care of that in a secure manner, just like it does with the password for the duplicacy storage (for the latter to work, I just have to run my script manually once, it will prompt me for my Windows password once and after that the scheduler can run it without problems).
I don’t see where the difference is as Mailgun will also require credentials. If the learning curve for sending automated emails with powershell is to steep, my plan B would be Zapier or Integromat or something like that: store the file with the error messages in a Dropbox folder and let Zapier pick it up from there…
Ah, I see, this makes sense. Maybe look into ConvertTo-SecureString and the example for gmail specifically here (scroll down to answer timestamped “Jun 6 '16 at 9:57”)
I don’t see where the difference is as Mailgun will also require credentials.
The difference is that damage of that password being compromised is virtually zero. You can totally keep it in plain text. The worst thing that happens somebody may be able to send an email. As opposed to leaking credentials from your gmail account.
This is something which i want(ed?) to do at some point in my duplicacy powershell script: save the credentials in windows’ credential manager, so i’m interested in this as well.
One thing which i don’t agree though is save the password in a file. That is unacceptable to me because if someone uses my pc (for anything malicious) they could just decode my password from the file even if encrypted. The credentials should be saved in the windows-specific place.
shameless plug: GitHub - TheBestPessimist/duplicacy-utils: Utilities for Windows for Duplicacy
But it’s encrypted with your users UUID so only your account can decrypt it, just as it is when stored in credential manager. Except with a file you can put it with the rest of stuff under .duplicacy. Also if adversary already has access to your windows account - password for an email forwarder is the least of the problems, no?
Can’t deny that…
Ah, thank you. I think that will work (will try later). I was very close. Where I failed was in discovering this rather strange way of handing my password over to ConvertTo-SecureString (and the need for -Force):
"myPassword" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\EmailPassword.txt"
(Side note: why does StackOverflow not provide links to answers??)
Go ask that to @codingHorror 