Solved

CFMAIL not secure if it uses your email and password

Posted on 2006-07-14
6
236 Views
Last Modified: 2013-12-24
The way that ColdFusionMX is configured for CFMAIL, you have to embed your email and password into a processing page.  This doesn't seem very secure to me..

The processing page looks like this:

<CFMAIL
   server="mail.YourDomain.com"
   username=”AnyEmail@YourDomain.com”
   password=”YourEmailPassword”      
   from="AnyEmail@YourDomain"
   to="AnyEmail@AnyDomain.com"
   subject="Any Subject">

   This is the body of the message.

</CFMAIL>


Anyone have any other ideas?
0
Comment
Question by:ServalStudios
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17110903
Sure, keep it in CFADMIN instead:

"Specify the server for sending SMTP mail messages. You can specify an Internet address (for example, mail.company.com) or the IP address of the mail server (for example, 127.0.0.1). If your mail server requires authentication, you can specify a user name and password in the format user:password@mail.company.com."

0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111562
What is CFADMIN?  Is that something you set on the server? I can't do that with shared hosting.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17111693
Username and Password are optional and based on the outgoing mail server (are you sure yours needs it?)

The simplist solution would be if your host setup an outgoing mail server for you.  You can test this by just doing:

<cfmail from="youremail@yourhost.com" to="youremail@yourhost.com" subject="test">Hello!</cfmail>

If it works, your host is taking care of SMTP.  If they didn't setup an SMTP server for you to use, then yes, you'll have to provide one in your CFMAIL tag, along with a username and password.

While there are a variety of ways you can get this to the tag, I wouldn't say any are more secure than what you're using now.  For example, you could store them as variables in a different file, but if a user can get to the file that has the CFMAIL tag, they could probably find the other file.

Another solution might be to store these in a file outside of your webroot, CFFILE Read it and get the information, store them in variables, and then put them in CFMAIL, but again, it's only as secure as your host is.  

In the end, it's probably just as secure to keep it in your CFM file as it is in any other file.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 1

Author Comment

by:ServalStudios
ID: 17111758
My hosting company does require the username and password.  What I ended up doing is making a little database with the email and password in it.  I ended up using the CFMAIL form to query the database for the username and password.  It seems like the mail is taking a longer time to reach me when it is submitted, but it seems to be working.  Maybe there is a cleaner way to write this form? Do you think this would be secure? I tried querying the mailform page, and didn't get an error page with my email or password in it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<CFOUTPUT query="validate">
<cfmail
server="mail.mydomain.org"
username="#validemail#"
password="#password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
 </cfoutput>
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 250 total points
ID: 17111819
While it may work, it's probably overkill.  Although you may argue that nothing is overkill for security :)  If you're going to go this route, I wouldn't wrap the CFMAIL inside the CFOUTPUT, do it like so:

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<cfmail
server="mail.mydomain.org"
username="#validate.validemail#"
password="#validate.password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111878
Ah.. I thought you had to have a CFOUTPUT to get the info.. This is much better.. Thanks
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question