Solved

CFMAIL not secure if it uses your email and password

Posted on 2006-07-14
6
230 Views
Last Modified: 2013-12-24
The way that ColdFusionMX is configured for CFMAIL, you have to embed your email and password into a processing page.  This doesn't seem very secure to me..

The processing page looks like this:

<CFMAIL
   server="mail.YourDomain.com"
   username=”AnyEmail@YourDomain.com”
   password=”YourEmailPassword”      
   from="AnyEmail@YourDomain"
   to="AnyEmail@AnyDomain.com"
   subject="Any Subject">

   This is the body of the message.

</CFMAIL>


Anyone have any other ideas?
0
Comment
Question by:ServalStudios
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17110903
Sure, keep it in CFADMIN instead:

"Specify the server for sending SMTP mail messages. You can specify an Internet address (for example, mail.company.com) or the IP address of the mail server (for example, 127.0.0.1). If your mail server requires authentication, you can specify a user name and password in the format user:password@mail.company.com."

0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111562
What is CFADMIN?  Is that something you set on the server? I can't do that with shared hosting.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17111693
Username and Password are optional and based on the outgoing mail server (are you sure yours needs it?)

The simplist solution would be if your host setup an outgoing mail server for you.  You can test this by just doing:

<cfmail from="youremail@yourhost.com" to="youremail@yourhost.com" subject="test">Hello!</cfmail>

If it works, your host is taking care of SMTP.  If they didn't setup an SMTP server for you to use, then yes, you'll have to provide one in your CFMAIL tag, along with a username and password.

While there are a variety of ways you can get this to the tag, I wouldn't say any are more secure than what you're using now.  For example, you could store them as variables in a different file, but if a user can get to the file that has the CFMAIL tag, they could probably find the other file.

Another solution might be to store these in a file outside of your webroot, CFFILE Read it and get the information, store them in variables, and then put them in CFMAIL, but again, it's only as secure as your host is.  

In the end, it's probably just as secure to keep it in your CFM file as it is in any other file.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:ServalStudios
ID: 17111758
My hosting company does require the username and password.  What I ended up doing is making a little database with the email and password in it.  I ended up using the CFMAIL form to query the database for the username and password.  It seems like the mail is taking a longer time to reach me when it is submitted, but it seems to be working.  Maybe there is a cleaner way to write this form? Do you think this would be secure? I tried querying the mailform page, and didn't get an error page with my email or password in it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<CFOUTPUT query="validate">
<cfmail
server="mail.mydomain.org"
username="#validemail#"
password="#password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
 </cfoutput>
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 250 total points
ID: 17111819
While it may work, it's probably overkill.  Although you may argue that nothing is overkill for security :)  If you're going to go this route, I wouldn't wrap the CFMAIL inside the CFOUTPUT, do it like so:

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<cfmail
server="mail.mydomain.org"
username="#validate.validemail#"
password="#validate.password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111878
Ah.. I thought you had to have a CFOUTPUT to get the info.. This is much better.. Thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now