Encrypt password in CFMAIL

I am using my work's CF8 server to run an application that utilizes a CFMAIL tag.  My work requires me to have the server name, username and password (of my email account) in the CFMAIL tag in order to authenticate with the work email server.

Is there anyway to encrypt the password so that it won't be exposed in the code?

Thanks for any help!
Peg
mrotsteinAsked:
Who is Participating?
 
azadisaryevConnect With a Mentor Commented:
there are ways to encrypt your password, but... your mail server will NOT accept it then, as it would not match the password for your email account.

the question here is: why do you want to hide it in your code? is it because other people working on same code will see it? then set up a separate account on your server to be used just for authenticating with your server in <cfmail> tags: remember - the username and password you specify in <cfmail> tag DO NOT have to be the username and password of the account you use in FROM attribute. they just need to be a username and password of a valid email account on your server.

if you are worried about someone using your application seeing the password - do not worry: CFML code is NOT returned to the browser. view the source of your pages in the browser and you will see that none of your cfml code is there.

Erik's suggestion is a valid one, though it does not solve the problem of other developers who have access to cfml code you write seeing your password - if they can see cfml code, they can just as easily view the code in your Application.cfm/.cfc and see your password.  But in general, it is a valid practice to save mailserver authentication info in application-scope variables and use those in your code.

Azadi
0
 
erikTsomikSystem Architect, CF programmer Commented:
you can store the user name and password in application.cfm
0
 
mrotsteinAuthor Commented:
Thank you for your detailed response.  It was very helpful!  Yes, I was worried about other developers seeing my email login information.  I am setting up a separate account on the server for email.  That is a perfect solution!
Peg
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
Jones911Commented:
Why don't you set the mail server, username and password in the ADMIN section ( /cfide/administrator ) then there is no need to put user names/passwords into code at all.
0
 
azadisaryevCommented:
@Jones911:
isn't that a valid thing to do only when it is THE ONE AND ONLY mail server your applications running on this cf server may be using?
there's a setting in CF Admin for "backup mail servers"... but i am not quiet sure how that works... will the <cfmail> tag try to use the next defined mail server if sending mail through the default mail server fals due to invalid authentication?

Azadi
0
 
Jones911Commented:
@azadi
If you have shared hosting your point is valid but if you have full control of the server and a smtp mail server then I think I would prefer not to code usernames/passwords into code and simply use <cfmail to="" from="" subject="" type="">Mail Message</cfmail>

I guess I have always had full server control so it hasn't been an issue apart from one blog which I host on a shared server which does set usernames and passwords in a config file.
0
 
azadisaryevCommented:
@Jones911:
yeah, that's what i thought...
but have you played with the "backup mail servers" setting in CF Admin? does it actually make <cfmail> tags try other mail servers listed in that "backup" textarea when authentication for the default mail server fails? or are those backup mail servers only used when there's no response from the main mail server?
just curious -i've never used that "backup mail servers" feature and have no idea what exactly it does and when those servers are used... any ideas?

Azadi
0
 
Jones911Commented:
@azadi

No I havn't but we have a script that moves mail from undeliverd to spool as now and then some email does fail to send.  Also we only have 1 smtp server but I'd think it would work like you say if it fails it woudl try on the second server.  I would like to try this out.
0
 
azadisaryevCommented:
@Jones911:
interesting... just ran some quick tests...

i have defined a totally bogus mailserver as default mailserver in CF Admin.
then i specified a valid mailserver (with username and password) in the "backup mail server" field.
then i used a plain vanilla <cfmail> tag (without any username/password/server attributes in it, so it has to use the default mailserver set up in cf admin) to send an email, using a TOTALLY BOGUS email account in the FROM attribute, and... i DID recieve the email!

mind you, my thunderbird's junk/spam filter has automatically put in JUNK folder... but, nonetheless -> it looks like <cfmail> tag will try and use a mailserver from 'backup' list in case it can't send an email from default mailserver specified in cf admin, and NOT just when the default mailserver can't be reached, but EVEN if the default mail server does not exist at all (!).

that was an interesting experiment... now i actually know how the default and backup mailservers are used by cf.

Azadi
0
 
Jones911Commented:
@Azadi  Nice thanks for reporting back your findings.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.