惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
Apple Machine Learning Research
Apple Machine Learning Research
The Register - Security
The Register - Security
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
N
News and Events Feed by Topic
腾讯CDC
P
Proofpoint News Feed
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
爱范儿
爱范儿
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
D
Docker
Y
Y Combinator Blog
博客园 - 聂微东
G
Google Developers Blog
S
Security @ Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
S
Schneier on Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
SegmentFault 最新的问题
云风的 BLOG
云风的 BLOG
阮一峰的网络日志
阮一峰的网络日志
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
CERT Recently Published Vulnerability Notes
I
Intezer
G
GRAHAM CLULEY
有赞技术团队
有赞技术团队
Attack and Defense Labs
Attack and Defense Labs
V
Visual Studio Blog
博客园 - Franky
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LINUX DO - 最新话题
C
Cybersecurity and Infrastructure Security Agency CISA

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Outlook.com Is the Final Boss of 'Just Send an Email'
Sagan Market · 2026-05-25 · via DEV Community

Every email project starts with a lie:

"I'll just test it with SMTP real quick."

That was my plan while working on EpicMail.

I wanted a boring, repeatable provider smoke test:

  1. Pick a mailbox provider.
  2. Add host, port, username, and password.
  3. Send one message.
  4. Move on with my life.

Instead, I got a tour of how consumer email providers have slowly turned "send an email" into an authentication archaeology dig.

The three providers I tested were:

  • Gmail
  • iCloud Mail
  • Outlook.com

The surprise was not that OAuth is complicated. Everyone knows OAuth is complicated.

The surprise was how much easier the entire C# provider-testing loop became once I stopped trying to solve OAuth on day one and used app passwords for developer-owned test accounts.

This is not an argument that app passwords are better than OAuth.

It is an argument that they are a fantastic debugging ladder.

But maybe shipping the ladder as the building is not the answer also.

First C# lesson: do not start with System.Net.Mail.SmtpClient

If you are building this in .NET, the first trap is that the built-in class name looks exactly like what you want:

using System.Net.Mail;

var client = new SmtpClient("smtp.example.com");

Enter fullscreen mode Exit fullscreen mode

But Microsoft's own docs say System.Net.Mail.SmtpClient is not recommended for new development because it does not support many modern protocols, and they point developers toward MailKit or other libraries instead.

So for EpicMail-style testing, I reached for MailKit:

dotnet add package MailKit

Enter fullscreen mode Exit fullscreen mode

The boring version of the test looks like this:

using MailKit.Net.Smtp;
using MailKit.Security;
using MimeKit;

public sealed record SmtpSmokeTestOptions(
    string Provider,
    string Host,
    int Port,
    string Username,
    string Secret);

public static async Task SendSmokeTestAsync(
    SmtpSmokeTestOptions options,
    string recipient,
    CancellationToken cancellationToken = default)
{
    var message = new MimeMessage();
    message.From.Add(MailboxAddress.Parse(options.Username));
    message.To.Add(MailboxAddress.Parse(recipient));
    message.Subject = $"EpicMail smoke test: {options.Provider}";
    message.Body = new TextPart("plain")
    {
        Text = "If this arrived, SMTP is alive."
    };

    using var client = new SmtpClient
    {
        Timeout = 15_000
    };

    await client.ConnectAsync(
        options.Host,
        options.Port,
        SecureSocketOptions.StartTls,
        cancellationToken);

    await client.AuthenticateAsync(
        options.Username,
        options.Secret,
        cancellationToken);

    await client.SendAsync(message, cancellationToken);

    await client.DisconnectAsync(quit: true, cancellationToken);
}

Enter fullscreen mode Exit fullscreen mode

That is the code I wanted the entire project to feel like.

A tiny abstraction.

A tiny config object.

A tiny smoke test.

And then reality showed up.

The provider matrix I wanted

For a developer-owned test account, the provider table feels like it should be this simple:

Provider SMTP host Port Credential path for smoke testing
Gmail smtp.gmail.com 587 Google app password
iCloud Mail smtp.mail.me.com 587 Apple app-specific password
Outlook.com smtp-mail.outlook.com 587 Microsoft app password for the controlled test path; OAuth2/Modern Auth for the product path

As configuration, that becomes extremely boring:

{
  "SmtpSmokeTests": [
    {
      "Provider": "Gmail",
      "Host": "smtp.gmail.com",
      "Port": 587,
      "Username": "you@gmail.com",
      "Secret": "<gmail app password>"
    },
    {
      "Provider": "iCloud",
      "Host": "smtp.mail.me.com",
      "Port": 587,
      "Username": "you@icloud.com",
      "Secret": "<apple app-specific password>"
    },
    {
      "Provider": "Outlook.com",
      "Host": "smtp-mail.outlook.com",
      "Port": 587,
      "Username": "you@outlook.com",
      "Secret": "<microsoft app password or oauth token path>"
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode

The protocol part is not the hard part.

The hard part is proving to three giant identity systems that your tiny test harness is not suspicious.

Gmail: the trick is not your normal password

Gmail's SMTP settings are conventional enough: smtp.gmail.com, port 587, STARTTLS, authentication required.

The trick is that the useful test credential is not your normal Google password.

It is a generated app password.

That turns this kind of failure:

535-5.7.8 Username and Password not accepted

Enter fullscreen mode Exit fullscreen mode

into this kind of progress:

250 2.1.5 OK

Enter fullscreen mode Exit fullscreen mode

For a smoke test, that is a massive difference.

No consent screen.

No redirect URI.

No token refresh.

No "is my OAuth app still in testing mode?" rabbit hole.

Just a dev mailbox and a generated credential.

Google's own Gmail client setup docs list smtp.gmail.com, STARTTLS on port 587, and suggest trying an app password when 2-Step Verification is enabled and a mail client cannot sign in.

iCloud Mail: refreshingly literal

iCloud Mail was the provider that felt closest to the old-school SMTP mental model.

Apple's settings are direct:

SMTP server: smtp.mail.me.com
Port: 587
Authentication: required
Username: full iCloud email address
Password: app-specific password

Enter fullscreen mode Exit fullscreen mode

The important detail is the username.

For SMTP, Apple says to use the full iCloud Mail email address, not just the local part.

So this is good:

you@icloud.com

Enter fullscreen mode Exit fullscreen mode

This is the kind of tiny detail that costs 30 minutes when your test harness only says:

Authentication failed.

Enter fullscreen mode Exit fullscreen mode

And it is exactly why provider diagnostics matter.

A good product should say:

iCloud rejected SMTP authentication.

Check:
- Are you using smtp.mail.me.com on port 587?
- Are you using STARTTLS?
- Is the username your full iCloud Mail address?
- Is the password an Apple app-specific password rather than your Apple Account password?

Enter fullscreen mode Exit fullscreen mode

That is not just error handling.

That is product UX.

Outlook.com: where SMTP becomes an identity-platform problem

Outlook.com is where the simple smoke test started to feel like a boss fight.

The rough shape still looks familiar:

SMTP server: smtp-mail.outlook.com
Port: 587
Encryption: STARTTLS

Enter fullscreen mode Exit fullscreen mode

But then the auth story gets more interesting. With a new Outlook.com test account, I was not able to turn on SMTP... it looked like turned it on, but when I refreshed the page, it showed that it was still off. When I tried to investigate deeper, I noticed that the "Inspect/Developer Tools" Network tab showed an error in the response:

POST https://outlook.live.com/owa/0/service.svc?action=SetConsumerMailbox&app=Mail&n=36
412 (Precondition Failed)
Uncaught (in promise) Error: SetConsumerMailbox failed:
Microsoft.Exchange.Clients.Owa2.Server.Core.OwaInvalidServiceRequestException

Furthermore, Microsoft's Outlook.com SMTP settings list OAuth2 / Modern Auth as the authentication method. The same support surface also documents app passwords for Outlook.com accounts using two-factor authentication when a password is not accepted by another program.

That is where the provider test stops being a socket problem and becomes an account-state problem.

When Outlook.com rejects you, the question is not just:

Did my C# code authenticate correctly?

The question becomes:

Which authentication universe is this account currently living in?

For a developer-owned EpicMail smoke test, an app password was the shortest path to answering the narrow question I cared about first:

Can this adapter send one message through Outlook.com SMTP?

But I would not treat that as the long-term product answer.

For real user onboarding, Outlook.com is clearly pointing the ecosystem toward Modern Auth / OAuth2.

That is the central distinction:

Dev-owned smoke test:
  App password is great.

User-owned production account:
  OAuth2 / provider API is the responsible path.

Enter fullscreen mode Exit fullscreen mode

The problem is that both of those workflows might touch the same SMTP host and port.

So your code has to know which game it is playing.

App passwords are not "better OAuth"

This is the key lesson.

App passwords are not a better security model than OAuth.

They are a faster way to answer a narrower engineering question:

Can this provider send mail from this controlled test account using SMTP?

For EpicMail, that was exactly the question I needed answered first.

The app-password credential shape is tiny:

public sealed record AppPasswordCredential(
    string Username,
    string AppPassword);

Enter fullscreen mode Exit fullscreen mode

The send path is tiny:

await client.AuthenticateAsync(
    credential.Username,
    credential.AppPassword,
    cancellationToken);

Enter fullscreen mode Exit fullscreen mode

OAuth is a different animal:

public sealed record OAuthSmtpCredential(
    string Username,
    string AccessToken,
    string? RefreshToken,
    DateTimeOffset ExpiresAt,
    string[] Scopes,
    string ProviderClientId);

Enter fullscreen mode Exit fullscreen mode

And yes, MailKit can authenticate with an OAuth2 access token:

using MailKit.Security;

var oauth2 = new SaslMechanismOAuth2(
    credential.Username,
    credential.AccessToken);

await client.AuthenticateAsync(oauth2, cancellationToken);

Enter fullscreen mode Exit fullscreen mode

But that line is not the hard part.

The hard part is everything required to make that line safe and repeatable:

  • provider app registration
  • redirect URIs
  • local development callback URLs
  • consent screen configuration
  • scopes
  • token exchange
  • refresh token storage
  • encryption at rest
  • token refresh
  • revoked consent
  • expired refresh tokens
  • tenant or account policy
  • provider-specific support docs
  • user-facing recovery flows

For a real multi-user product, that work is justified.

For a smoke test, it can be a trap.

The abstraction changed once I separated the two paths

The useful design move was to stop pretending that "SMTP auth" is one thing.

It is not.

At minimum, EpicMail needs to model two credential modes:

public abstract record ProviderCredential(string Username);

public sealed record AppPasswordCredential(
    string Username,
    string AppPassword) : ProviderCredential(Username);

public sealed record OAuthCredential(
    string Username,
    string AccessToken,
    string? RefreshToken,
    DateTimeOffset ExpiresAt) : ProviderCredential(Username);

Enter fullscreen mode Exit fullscreen mode

Then the adapter can be honest:

public interface IEmailProviderAdapter
{
    string ProviderName { get; }

    Task SendSmokeTestAsync(
        ProviderCredential credential,
        string recipient,
        CancellationToken cancellationToken = default);

    ProviderDiagnostic Diagnose(Exception exception);
}

Enter fullscreen mode Exit fullscreen mode

And the Outlook.com adapter can say something useful instead of pretending all failures are equal:

if (ProviderName == "Outlook.com" && credential is AppPasswordCredential)
{
    diagnostic.Warnings.Add(
        "App passwords are useful for controlled Outlook.com smoke tests, " +
        "but OAuth2 / Modern Auth is the better user-facing path.");
}

Enter fullscreen mode Exit fullscreen mode

That warning is not bureaucracy.

It is future you leaving a note for support-ticket you.

The error taxonomy became the real feature

The most useful part of this work was not the successful send.

It was cataloging failures.

The first version of an email integration usually thinks it needs this:

public bool Sent { get; init; }

Enter fullscreen mode Exit fullscreen mode

What it actually needs is closer to this:

public enum ProviderDiagnosticCode
{
    Success,
    TcpConnectionFailed,
    StartTlsFailed,
    AuthenticationRejected,
    SenderRejected,
    RecipientRejected,
    ProviderPolicyRejected,
    RateLimited,
    MessageRejected,
    Unknown
}

Enter fullscreen mode Exit fullscreen mode

Because users do not need to know that SmtpCommandException happened.

They need to know what to do next.

A raw error says:

MailKit.Security.AuthenticationException: Authentication failed.

Enter fullscreen mode Exit fullscreen mode

A useful EpicMail-style diagnostic says:

Outlook.com rejected SMTP authentication.

Check:
- Are you using smtp-mail.outlook.com on port 587?
- Are you using STARTTLS?
- Is this account expecting OAuth2 / Modern Auth?
- If this is a dev-owned smoke test, is the Microsoft app password valid?
- Did Microsoft flag the sign-in in Recent Activity?

Enter fullscreen mode Exit fullscreen mode

That is the difference between supporting SMTP and understanding email providers.

The C# testing loop I wish I had started with

Instead of starting with "send an email," I wish I had started with a checklist:

var checks = new[]
{
    "Can resolve SMTP host",
    "Can open TCP connection",
    "Can upgrade with STARTTLS",
    "Can authenticate",
    "Can send MAIL FROM",
    "Can send RCPT TO",
    "Can send DATA",
    "Can receive final provider response",
    "Can map provider error to setup advice"
};

Enter fullscreen mode Exit fullscreen mode

The happy path is one row in that table.

The product is the rest of the table.

For each provider, I now want cases like:

✅ valid app password
❌ normal account password
❌ revoked app password
❌ wrong SMTP host
❌ wrong port
❌ STARTTLS disabled
❌ username missing full iCloud address
❌ Outlook.com account expects OAuth2 / Modern Auth
❌ provider flags suspicious login
❌ provider accepts login but rejects sender
❌ provider rate-limits or policy-blocks the message

Enter fullscreen mode Exit fullscreen mode

That is where the value is.

A generic SMTP client can throw raw provider errors.

A product should translate them.

The practical rule I ended up with

My current rule for EpicMail is:

For developer-owned smoke tests:
  Use app passwords when the provider supports them.

For user-owned accounts:
  Use OAuth2 / provider-approved auth flows.

For serious production sending:
  Consider transactional email providers instead of consumer inboxes.

Enter fullscreen mode Exit fullscreen mode

App passwords made Gmail, iCloud Mail, and Outlook.com easier to compare because they reduced the test surface area.

That mattered.

It let me test the boring-but-critical pieces first:

  • SMTP host and port
  • STARTTLS behavior
  • message construction
  • sender validation
  • recipient validation
  • provider-specific rejection messages
  • useful diagnostics

Then OAuth can come later as a product-grade authentication layer instead of blocking the first transport-layer proof.

OAuth is the production path.

App passwords are the debugging ladder.

Do not ship the ladder as the building... or if you do then version 1.1 should be adding OATH to Outlook, Gmail, iCloud... probably in that order too.

References