CFMAIL not secure if it uses your email and password

The way that ColdFusionMX is configured for CFMAIL, you have to embed your email and password into a processing page.  This doesn't seem very secure to me..

The processing page looks like this:

<CFMAIL
   server="mail.YourDomain.com"
   username=”AnyEmail@YourDomain.com”
   password=”YourEmailPassword”      
   from="AnyEmail@YourDomain"
   to="AnyEmail@AnyDomain.com"
   subject="Any Subject">

   This is the body of the message.

</CFMAIL>


Anyone have any other ideas?
LVL 1
ServalStudiosAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
usachrisk1983Connect With a Mentor Commented:
While it may work, it's probably overkill.  Although you may argue that nothing is overkill for security :)  If you're going to go this route, I wouldn't wrap the CFMAIL inside the CFOUTPUT, do it like so:

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<cfmail
server="mail.mydomain.org"
username="#validate.validemail#"
password="#validate.password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
usachrisk1983Commented:
Sure, keep it in CFADMIN instead:

"Specify the server for sending SMTP mail messages. You can specify an Internet address (for example, mail.company.com) or the IP address of the mail server (for example, 127.0.0.1). If your mail server requires authentication, you can specify a user name and password in the format user:password@mail.company.com."

0
 
ServalStudiosAuthor Commented:
What is CFADMIN?  Is that something you set on the server? I can't do that with shared hosting.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
usachrisk1983Commented:
Username and Password are optional and based on the outgoing mail server (are you sure yours needs it?)

The simplist solution would be if your host setup an outgoing mail server for you.  You can test this by just doing:

<cfmail from="youremail@yourhost.com" to="youremail@yourhost.com" subject="test">Hello!</cfmail>

If it works, your host is taking care of SMTP.  If they didn't setup an SMTP server for you to use, then yes, you'll have to provide one in your CFMAIL tag, along with a username and password.

While there are a variety of ways you can get this to the tag, I wouldn't say any are more secure than what you're using now.  For example, you could store them as variables in a different file, but if a user can get to the file that has the CFMAIL tag, they could probably find the other file.

Another solution might be to store these in a file outside of your webroot, CFFILE Read it and get the information, store them in variables, and then put them in CFMAIL, but again, it's only as secure as your host is.  

In the end, it's probably just as secure to keep it in your CFM file as it is in any other file.
0
 
ServalStudiosAuthor Commented:
My hosting company does require the username and password.  What I ended up doing is making a little database with the email and password in it.  I ended up using the CFMAIL form to query the database for the username and password.  It seems like the mail is taking a longer time to reach me when it is submitted, but it seems to be working.  Maybe there is a cleaner way to write this form? Do you think this would be secure? I tried querying the mailform page, and didn't get an error page with my email or password in it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<CFOUTPUT query="validate">
<cfmail
server="mail.mydomain.org"
username="#validemail#"
password="#password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
 </cfoutput>
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
ServalStudiosAuthor Commented:
Ah.. I thought you had to have a CFOUTPUT to get the info.. This is much better.. Thanks
0
All Courses

From novice to tech pro — start learning today.