A Post Script …
If the computer is plugged in to power, connected to a network, and turned on you can hack it … but it may not be easy.
Lets just quickly run through some of the issues:
- IF they are on a corporate network, there’s a good chance that the network admin has set up their internal DNS to return the SMTP server via the MX lookup I mentioned above. This would be one of the ways the system I outlined would work.
- IF they are on a non-corporate network (i.e. at home or a small business) there’s a possibility that this will also work if their ISP happens to use the same server for in/outbound mail.
- Why not use an external 3rd party SMTP server? Lets say we want to send an email from fred@bloggs.com so we fire it at the 3rd party delivery system as recommended by others above. If the owner of bloggs.com has explicitly set an SPF record on their domain, which is becoming the standard these days (if you haven’t done this already then your domain is open to spam spoofing) then sending an email via a 3rd party email service will cause the email to fail to be delivered to any mail box where the server has SPF checking enabled (again, becoming more common these days). An SPF record is essentially telling the world that mail from bloggs.com will only be coming from the IP specified in the record, as we’re sending it via a 3rd party, that will be a problem unless the owner of bloggs.com makes the alteration to the SPF record to include the 3rd party service’s SMTP server IP. If none of this is checked/done then its hit and miss if the email will be delivered as it depends on the server where the email was sent if they bother checking the SPF record to validate the incoming email.
- Why not use an internal SMTP sever that we ship with the product or send it ourselves directly to the endpoint of the mail? This is a similar issue to number 3 above. We try to send fred@bloggs.com but the public facing IP of our outbound traffic is 1.2.3.4 and the SPF record that the owner of bloggs.com has set up for out official mail server for bloggs.com is 1.2.3.10. This is essentially telling the whole world that mail from bloggs.com should only be coming from 1.2.3.10 and as we’re just sent some from 1.2.3.4 anyone getting that email who also checks SPF records will dump that email as spam.
- Can I send it via a 3rd party? Sure, but you need to use a known from address not the users email address. As you know the from address (probably related to your service) then it will be easy to create the SPF for that domain and add the 3rd party delivery system onto the record. However this will not personalise the email as they will all be coming from your known domain/email, not the users domain/email. While this might not be perfect it will always work. You could implement a system where the from address is unique to the user and an email received in reply is automatically forwarded back to the user. A way around this would be to specify the reply to address on the email you send from your service so when the email is replied to it goes right back to your user, however some email clients ignore this as a possible security risk if the from and reply to emails are vastly different.
- Can we gather the information from the users installed mail client? Probably, but you’d have to code to multiple platforms and multiple mail clients. Is it worth your time to implement vs the user digging out their email server info? Only you can decide that.
- Could I automate the email client to send my email? You might, depending on the platform and the email client in use you could use something like OLE to ask outlook to send your email. If the user doesn’t have the platform or email client you have programmed for then you’re back to asking for the details.
- Could I ask them to send an email through their existing system to my service then strip out the IP from the headers? Not really, some mail server setups specifically strip out “internal” information before they send on the email (increased security) so you can’t guarantee that you can find out the route the email took all the way from their email client to their mail server and on to yours.
It certainly isn’t a simple question with a simple solution.
As I mentioned prior, the short answer is make a best guess using the system I outlined previously, failing that ask them for the details.
Thanks to both of you, Julian and Mark, for your well-thought through inputs and the rest of you that responded with your ideas …you’ve provided me with a number of avenues to check out and given me a better understanding of the way things work.
… and I don’t feel like the idiot I did when I posted the question to begin with 