I’m working on setting up an instance but I don’t want to deal with the hassle and expense of having it send e-mails.
I don’t think the loss of e-mail notifications is that big a deal - people can just use an app for that. However, I don’t want to lose the ability to reset accounts.
So I’m thinking about setting up an MTA on the same server as the Lemmy instance and setting up a script to read e-mails it receives for passwords. If the script receives an e-mail from an address attached to the account it will set the account’s password in the database based on the content of the e-mail. Users will be encouraged after login to manually update their password again so it is not stored in plain text anywhere.
My main concern with this is I’m not sure if it would be as secure as sending a password reset e-mail (even aside from the temporary plain text password). I would have the MTA check SPF and DKIM records of course. Is there a significant risk of, e.g., malicious actors spoofing e-mails to hijack accounts?
Yes, it is a bad idea - it makes your attack surface much bigger and is way more work than just setting up email handling