dylan_dofst

joined 2 years ago
 

I'm working on setting up an instance but I don't want to deal with the hassle and expense of having it send e-mails.

I don't think the loss of e-mail notifications is that big a deal - people can just use an app for that. However, I don't want to lose the ability to reset accounts.

So I'm thinking about setting up an MTA on the same server as the Lemmy instance and setting up a script to read e-mails it receives for passwords. If the script receives an e-mail from an address attached to the account it will set the account's password in the database based on the content of the e-mail. Users will be encouraged after login to manually update their password again so it is not stored in plain text anywhere.

My main concern with this is I'm not sure if it would be as secure as sending a password reset e-mail (even aside from the temporary plain text password). I would have the MTA check SPF and DKIM records of course. Is there a significant risk of, e.g., malicious actors spoofing e-mails to hijack accounts?

[–] [email protected] 7 points 1 year ago (1 children)

I'm surprised how quickly they started doing this. Couldn't weather the protest for even two days.

[–] [email protected] 1 points 1 year ago

I feel like this might work on some people too

[–] [email protected] 2 points 1 year ago

The /r/piracy subreddit is already blacked out and directing to https://lemmy.dbzer0.com/c/piracy. I don't know the history of that instance but it seems to be mostly piracy-focused communities. Could be what you're talking about has happened already.