SMTP and Use with Gmail

Our vendor recommended we sign up for a MailGun email account as OpenEMR doesn’t work with password-based authentication for SMTP.

We have a Google Workspace account and would love to keep all of our emails under one email provider (and one BAA), but understand if something isn’t compatible. Do anyone know if a workaround with Google Workspace/Gmail?

The challenge with GMail is that google is deprecating username/password SMTP authentication in May 2022 and moving to an OAUTH2 flow for authentication. OpenEMR core isn’t setup to handle that situation and someone would have to develop that.

I discuss that in this post.

If you want to try the GMAIL option (which again goes away for Google in May 2022) you can check out Ken’s post here.

Thinking the problem through, it’s not as easy as saying “OpenEMR should support OAUTH2 services”, because those aren’t going to be generic. We can’t support “all OAUTH2 mail platforms”, we’d have to write code (is this what modules are for?) to support Google Workspace specifically, as we would any other vendor who’s declining to support even securely encrypted SMTP.

I’m not saying it’d be hard – GitHub - googleapis/google-api-php-client: A PHP client library for accessing Google APIs covers the ground pretty convincingly – but it’d be narrow in scope and I’m not sure anybody who wasn’t impacted would volunteer to handle it.

couldn’t the google SSO code that’s already in openemr be used for email too?

I guess I can note that it’s possible to send email without needing an email account. AWS is (as usual) my go-to example service, but you can set flags that indicate a vendor can send email on your behalf so you can keep the email account you’d prefer but originate emails without going through Google.

A second BAA would still be required but it shouldn’t be necessary to sign up for an email account if you just want to send.

You can still use Google’s SMTP. We use Google’s SMTP. There are no warnings on Googles SMTP page that they are changing anything about the service. The only note I have read is that it will not longer be free but has to be used by a paid G suites account holder.

As far as I know in order to use the SMTP relay option you must enable the ‘Less Secure Apps’ option in your google account. When you go to enable that option google prominently displays a big warning saying the Less Secure Apps option is going away in May 2022. However, they recently updated that advisory to say that Google Workspace accounts (formerly google gsuite) or Google Cloud identity accounts (whatever that is) will still be able to use the Less Secure Apps option. Businesses must have pushed back enough for them to make a change.

So if you are using a paid G-Suite account it will continue to work apparently. But be advised google plans on deprecating this so… have contingency plans in place.

1 Like

In fact-- you know what I’d do? The literal work of an afternoon? Get set up with sending email through AWS SES and then… don’t use it. Before it actually matters–

  • Examine per-email pricing with SES.
  • Authenticate SES identity for your domain (via DKIM domain records).
  • Configure an SPF record to allow to send mail on your behalf.
  • Generate SMTP credentials and send a test email with them.
  • Obtain a BAA from Amazon, and ask your HIPAA compliance officer for any steps to be taken about audits and logs (see CloudTrail, S3, KMS).
  • Optional: Configure abuse report destinations (see SNS, Lambda, maybe DynamoDB?).

And there you are, a secondary email sending service with no ongoing costs until you slap the credentials into OpenEMR.