Solved

Encrypt password in CFMAIL

Posted on 2009-05-19
10
691 Views
Last Modified: 2013-12-24
I am using my work's CF8 server to run an application that utilizes a CFMAIL tag.  My work requires me to have the server name, username and password (of my email account) in the CFMAIL tag in order to authenticate with the work email server.

Is there anyway to encrypt the password so that it won't be exposed in the code?

Thanks for any help!
Peg
0
Comment
Question by:mrotstein
10 Comments
 
LVL 19

Expert Comment

by:erikTsomik
ID: 24428622
you can store the user name and password in application.cfm
0
 
LVL 27

Accepted Solution

by:
azadisaryev earned 50 total points
ID: 24428819
there are ways to encrypt your password, but... your mail server will NOT accept it then, as it would not match the password for your email account.

the question here is: why do you want to hide it in your code? is it because other people working on same code will see it? then set up a separate account on your server to be used just for authenticating with your server in <cfmail> tags: remember - the username and password you specify in <cfmail> tag DO NOT have to be the username and password of the account you use in FROM attribute. they just need to be a username and password of a valid email account on your server.

if you are worried about someone using your application seeing the password - do not worry: CFML code is NOT returned to the browser. view the source of your pages in the browser and you will see that none of your cfml code is there.

Erik's suggestion is a valid one, though it does not solve the problem of other developers who have access to cfml code you write seeing your password - if they can see cfml code, they can just as easily view the code in your Application.cfm/.cfc and see your password.  But in general, it is a valid practice to save mailserver authentication info in application-scope variables and use those in your code.

Azadi
0
 

Author Closing Comment

by:mrotstein
ID: 31583356
Thank you for your detailed response.  It was very helpful!  Yes, I was worried about other developers seeing my email login information.  I am setting up a separate account on the server for email.  That is a perfect solution!
Peg
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24431739
Why don't you set the mail server, username and password in the ADMIN section ( /cfide/administrator ) then there is no need to put user names/passwords into code at all.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24431958
@Jones911:
isn't that a valid thing to do only when it is THE ONE AND ONLY mail server your applications running on this cf server may be using?
there's a setting in CF Admin for "backup mail servers"... but i am not quiet sure how that works... will the <cfmail> tag try to use the next defined mail server if sending mail through the default mail server fals due to invalid authentication?

Azadi
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 19

Expert Comment

by:Jones911
ID: 24432135
@azadi
If you have shared hosting your point is valid but if you have full control of the server and a smtp mail server then I think I would prefer not to code usernames/passwords into code and simply use <cfmail to="" from="" subject="" type="">Mail Message</cfmail>

I guess I have always had full server control so it hasn't been an issue apart from one blog which I host on a shared server which does set usernames and passwords in a config file.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24432235
@Jones911:
yeah, that's what i thought...
but have you played with the "backup mail servers" setting in CF Admin? does it actually make <cfmail> tags try other mail servers listed in that "backup" textarea when authentication for the default mail server fails? or are those backup mail servers only used when there's no response from the main mail server?
just curious -i've never used that "backup mail servers" feature and have no idea what exactly it does and when those servers are used... any ideas?

Azadi
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24432624
@azadi

No I havn't but we have a script that moves mail from undeliverd to spool as now and then some email does fail to send.  Also we only have 1 smtp server but I'd think it would work like you say if it fails it woudl try on the second server.  I would like to try this out.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24433280
@Jones911:
interesting... just ran some quick tests...

i have defined a totally bogus mailserver as default mailserver in CF Admin.
then i specified a valid mailserver (with username and password) in the "backup mail server" field.
then i used a plain vanilla <cfmail> tag (without any username/password/server attributes in it, so it has to use the default mailserver set up in cf admin) to send an email, using a TOTALLY BOGUS email account in the FROM attribute, and... i DID recieve the email!

mind you, my thunderbird's junk/spam filter has automatically put in JUNK folder... but, nonetheless -> it looks like <cfmail> tag will try and use a mailserver from 'backup' list in case it can't send an email from default mailserver specified in cf admin, and NOT just when the default mailserver can't be reached, but EVEN if the default mail server does not exist at all (!).

that was an interesting experiment... now i actually know how the default and backup mailservers are used by cf.

Azadi
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24433299
@Azadi  Nice thanks for reporting back your findings.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now