Outbound email
The outbound email service sends email from IDM using a script or the REST API.
You can edit the email service over REST at the config/external.email
endpoint, or in the external.email.json
file in your project’s conf
directory.
IDM supports UTF-8 (non-ascii/international) characters in email addresses, such as zoë@example.com. When sending emails to these type of addresses, the configured SMTP server must also support UTF-8. |
Email service configuration types
IDM supports two email service configuration types:
-
SMTP - Email service that uses the Simple Mail Transfer Protocol.
-
MS Graph API - Email service that uses the MS Graph API
sendMail
endpoint.
MS Graph API requirements
Use of the MS Graph API email client requires a properly configured Microsoft Azure tenant. The basic steps for configuring an Azure tenant should be used as an outline, as the specific options, menus, and features may have changed.
Configure Azure for MS Graph API mail client
-
Navigate to Azure Active Directory | App registrations.
-
Create the IDM client application:
-
From the menu bar, click + New Registration.
-
On the Register an application page, enter the application Name, such as
idm-email-client
. -
For Supported account types, select the applicable option for your organization.
-
Click Register.
-
On the idm-email-client page, in the main Essentials area, record the Application (client) ID.
This is the value for clientId
in theauth
settings of the email configuration. Refer tooauth2
properties.
-
-
Add a client secret:
-
On the idm-email-client page, in the main Essentials area, click Add a certificate or secret.
Show Me
-
On the Certificates & secrets page, select the Client secrets tab, and click + New client secret.
Show Me
-
In the Add a client secret window, enter the details, and click Add.
-
Copy the Value and Secret ID to a secure place before leaving the Certificates & secrets page.
Use the secret Value for clientSecret
in theauth
settings of the email configuration. Refer tooauth2
properties.
-
-
Add API permissions:
-
From the side menu, click API permissions.
-
On the API permissions page, click + Add a permission.
-
In the Request API permissions windows, select the Microsft APIs tab, and click Microsoft Graph.
-
In the What type of permissions... area, click Application permissions.
-
In the Select permissions search bar, type
send
. -
Expand the Mail node, and select Mail.Send.
-
Click Add permissions.
Show Me
-
Configure outbound email
To configure the outbound email service using the admin UI, click Configure > Email Settings.
-
Edit the email configuration with the mail server details and account.
-
For the complete list of configuration options, refer to External email configuration properties.
-
For sample email configurations, refer to Sample email configuration.
-
-
Submit the configuration over REST or copy the file to your project’s
conf/
directory. For example:RESTcurl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --request PUT \ --data '{ "host" : "smtp.gmail.com", "port" : 587, "debug" : false, "auth" : { "enable" : true, "username" : "admin", "password" : "Passw0rd" }, "from" : "admin@example.com", "timeout" : 300000, "writetimeout" : 300000, "connectiontimeout" : 300000, "starttls" : { "enable" : true }, "ssl" : { "enable" : false }, "smtpProperties" : [ "mail.smtp.ssl.protocols=TLSv1.2", "mail.smtps.ssl.protocols=TLSv1.2" ], "threadPoolSize" : 20 }' \ "http://localhost:8080/openidm/config/external.email"
Filesystemcp /path/to/external.email.json /path/to/openidm/conf/
IDM encrypts the password.
Sample email configuration
This sample email configuration sets up the outbound email service:
{
"host" : "smtp.gmail.com",
"port" : 587,
"debug" : false,
"auth" : {
"enable" : true,
"username" : "xxxxxxxx",
"password" : "xxxxxxxx"
},
"timeout" : 300000,
"writetimeout" : 300000,
"connectiontimeout" : 300000,
"starttls" : {
"enable" : true
},
"ssl" : {
"enable" : false
},
"smtpProperties" : [
"mail.smtp.ssl.protocols=TLSv1.2",
"mail.smtps.ssl.protocols=TLSv1.2"
],
"threadPoolSize" : 20
}
{
"type" : "msgraph",
"mailEndpoint" : "https://graph.microsoft.com/v1.0/users/example@myTenant.onmicrosoft.com/sendMail",
"from" : "example@myTenant.onmicrosoft.com",
"auth" : {
"enable" : true,
"type" : "oauth2",
"clientId" : "clientId",
"clientSecret" : "clientSecret",
"tokenEndpoint" : "https://login.microsoftonline.com/myTenant.onmicrosoft.com/oauth2/v2.0/token",
"scope" : [
"https://graph.microsoft.com/.default"
]
},
"timeout" : 300000,
"writetimeout" : 300000,
"connectiontimeout" : 300000,
"threadPoolSize" : 20
}
External email configuration properties
The msgraph
type also supports the External REST configuration properties.
Property | Description | Required? / Type Support |
||
---|---|---|---|---|
|
The email service type, |
No |
||
|
The URI for the MS Graph API Typical format:
|
Yes Only for |
||
|
The host name or IP address of the SMTP server. This can be the |
Yes Only for |
||
|
SMTP server port number, such as 25, 465, or 587.
|
Yes Only for |
||
|
When set to |
No Only for |
||
|
Specifies a default From: address which displays when users receive emails from IDM.
|
No |
||
|
Contains authentication detail sub-properties. Refer to the authentication sub-properties table for all options. |
Yes Required sub-properties vary based on |
||
|
If |
No Only for |
||
|
Set |
No Only for |
||
|
Specifies the SSL protocols that will be enabled for SSL connections. Protocols are specified as a whitespace-separated list. The default protocol is TLSv1.2. |
No Only for |
||
|
Emails are sent in separate threads managed by a thread pool. This property sets the number of concurrent emails that can be handled at a specific time. The default thread pool size (if none is specified) is |
No |
||
|
The socket connection timeout, in milliseconds. The default connection timeout (if none is specified) is |
No |
||
|
The socket read timeout, in milliseconds. The default read timeout (if none is specified) is |
No Only for |
||
|
The socket write timeout, in milliseconds. The default write timeout (if none is specified) is |
No Only for |
Property | Description | Required? / Type Support |
||
---|---|---|---|---|
|
Whether you need login credentials to connect to the server/API.
|
Yes |
||
|
Account used to connect to the server/API. |
No |
||
|
Password used to connect to the server/API. |
No |
||
|
Authentication type used to connect to the server/API:
|
Yes |
||
The following properties are only applicable when the |
||||
|
clientId used to request an access token from the token endpoint. Obtained during Azure application creation. |
Yes |
||
|
clientSecret used to request an access token from the token endpoint. Obtained during Azure application creation. |
Yes |
||
|
OAuth2 token endpoint. Typical format:
|
Yes |
||
|
Requested OAuth2 scopes in a JSON array of strings. |
Yes |
||
|
Scope delimiter to use. Defaults to space. |
No |
||
|
The only supported grant type is |
No |
Send mail using REST
In a production environment, you typically send mail from a script. To test your configuration, you can use the REST API by sending an HTTP POST to /openidm/external/email
. You pass the message parameters as part of the POST payload, URL encoding the content, as necessary.
The following example sends a test email using the REST API:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ --data '{ "from":"openidm@example.com", "to":"your_email@example.com", "subject":"Test", "body":"Test"}' \ "http://localhost:8080/openidm/external/email?_action=send" { "status": "OK", "message": "Email sent" }
By default, a response is returned only when the SMTP relay has completed. To return a response immediately, without waiting for the SMTP relay to finish, include the parameter waitForCompletion=false
in the REST call. Use this option only if you do not need to verify that the email was accepted by the SMTP server. For example:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ --data '{ "from":"openidm@example.com", "to":"your_email@example.com", "subject":"Test", "body":"Test"}' \ "http://localhost:8080/openidm/external/email?_action=send&waitForCompletion=false" { "status": "OK", "message": "Email submitted" }
Mail templates
You can send an email template using the sendTemplate
action. For example:
curl \ --header "Content-Type: application/json" \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ --data '{ "templateName":"welcome", "to":"your_email@example.com", "cc":"alt_email@example.com", "bcc":"bigBoss_email@example.com"}' \ "http://localhost:8080/openidm/external/email?_action=sendTemplate" { "status": "OK", "message": "Email sent" }
Email templates utilize Handlebar expressions to reference object data dynamically. For example, to reference the
|
Send mail using a script
You can send email using the resource API functions, with the external/email
context. For more information about these functions, refer to openidm.action. In the following example, params
is an object that contains the POST parameters:
var params = new Object();
params.from = "openidm@example.com";
params.to = "your_email@example.com";
params.cc = "bjensen@example.com,scarter@example.com";
params.subject = "OpenIDM recon report";
params.type = "text/html";
params.body = "<html><body><p>Recon report follows...</p></body></html>";
openidm.action("external/email", "send", params);
Mail templates
You can send an email template using the sendTemplate
action. For example:
var params = new Object();
params.templateName = "welcome";
params.to = "your_email@example.com";
params.cc = "bjensen@example.com,scarter@example.com";
params.bcc = "bigBoss@example.com";
openidm.action("external/email", "sendTemplate", params);
var params = new Object();
params.templateName = "myTemplate";
params.to = "hgale815@example.com";
params.object = { "givenName": newObject.givenName, "sn": newObject.sn, "mail": newObject.mail, "country": newObject.country };
openidm.action("external/email", "sendTemplate", params);
Email templates utilize Handlebar expressions to reference object data dynamically. For example, to reference the
|
external/email
POST parameters
IDM supports the following POST parameters:
from
-
Sender mail address
to
-
Comma-separated list of recipient mail addresses
cc
-
Optional comma-separated list of copy recipient mail addresses
bcc
-
Optional comma-separated list of blind copy recipient mail addresses
subject
-
Email subject
body
-
Email body text
type
-
Optional MIME type. One of
"text/plain"
,"text/html"
, or"text/xml"
.
Email rate limiting
No rate limiting is applied to password reset emails, or any emails sent by the IDM server. This means that an attacker can potentially spam a known user account with an infinite number of emails, filling that user’s inbox. In the case of password reset, the spam attack can obscure an actual password reset attempt.
In a production environment, you must configure email rate limiting through the network infrastructure in which IDM runs. Configure the network infrastructure to detect and prevent frequent repeated requests to publicly accessible web pages, such as the password reset page. You can also handle rate limiting within your email server.