Solved

CFMAIL not secure if it uses your email and password

Posted on 2006-07-14
6
234 Views
Last Modified: 2013-12-24
The way that ColdFusionMX is configured for CFMAIL, you have to embed your email and password into a processing page.  This doesn't seem very secure to me..

The processing page looks like this:

<CFMAIL
   server="mail.YourDomain.com"
   username=”AnyEmail@YourDomain.com”
   password=”YourEmailPassword”      
   from="AnyEmail@YourDomain"
   to="AnyEmail@AnyDomain.com"
   subject="Any Subject">

   This is the body of the message.

</CFMAIL>


Anyone have any other ideas?
0
Comment
Question by:ServalStudios
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17110903
Sure, keep it in CFADMIN instead:

"Specify the server for sending SMTP mail messages. You can specify an Internet address (for example, mail.company.com) or the IP address of the mail server (for example, 127.0.0.1). If your mail server requires authentication, you can specify a user name and password in the format user:password@mail.company.com."

0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111562
What is CFADMIN?  Is that something you set on the server? I can't do that with shared hosting.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17111693
Username and Password are optional and based on the outgoing mail server (are you sure yours needs it?)

The simplist solution would be if your host setup an outgoing mail server for you.  You can test this by just doing:

<cfmail from="youremail@yourhost.com" to="youremail@yourhost.com" subject="test">Hello!</cfmail>

If it works, your host is taking care of SMTP.  If they didn't setup an SMTP server for you to use, then yes, you'll have to provide one in your CFMAIL tag, along with a username and password.

While there are a variety of ways you can get this to the tag, I wouldn't say any are more secure than what you're using now.  For example, you could store them as variables in a different file, but if a user can get to the file that has the CFMAIL tag, they could probably find the other file.

Another solution might be to store these in a file outside of your webroot, CFFILE Read it and get the information, store them in variables, and then put them in CFMAIL, but again, it's only as secure as your host is.  

In the end, it's probably just as secure to keep it in your CFM file as it is in any other file.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:ServalStudios
ID: 17111758
My hosting company does require the username and password.  What I ended up doing is making a little database with the email and password in it.  I ended up using the CFMAIL form to query the database for the username and password.  It seems like the mail is taking a longer time to reach me when it is submitted, but it seems to be working.  Maybe there is a cleaner way to write this form? Do you think this would be secure? I tried querying the mailform page, and didn't get an error page with my email or password in it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<CFOUTPUT query="validate">
<cfmail
server="mail.mydomain.org"
username="#validemail#"
password="#password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
 </cfoutput>
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 250 total points
ID: 17111819
While it may work, it's probably overkill.  Although you may argue that nothing is overkill for security :)  If you're going to go this route, I wouldn't wrap the CFMAIL inside the CFOUTPUT, do it like so:

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<cfmail
server="mail.mydomain.org"
username="#validate.validemail#"
password="#validate.password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111878
Ah.. I thought you had to have a CFOUTPUT to get the info.. This is much better.. Thanks
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question