Solved

Encrypt password in CFMAIL

Posted on 2009-05-19
10
707 Views
Last Modified: 2013-12-24
I am using my work's CF8 server to run an application that utilizes a CFMAIL tag.  My work requires me to have the server name, username and password (of my email account) in the CFMAIL tag in order to authenticate with the work email server.

Is there anyway to encrypt the password so that it won't be exposed in the code?

Thanks for any help!
Peg
0
Comment
Question by:mrotstein
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 19

Expert Comment

by:erikTsomik
ID: 24428622
you can store the user name and password in application.cfm
0
 
LVL 27

Accepted Solution

by:
azadisaryev earned 50 total points
ID: 24428819
there are ways to encrypt your password, but... your mail server will NOT accept it then, as it would not match the password for your email account.

the question here is: why do you want to hide it in your code? is it because other people working on same code will see it? then set up a separate account on your server to be used just for authenticating with your server in <cfmail> tags: remember - the username and password you specify in <cfmail> tag DO NOT have to be the username and password of the account you use in FROM attribute. they just need to be a username and password of a valid email account on your server.

if you are worried about someone using your application seeing the password - do not worry: CFML code is NOT returned to the browser. view the source of your pages in the browser and you will see that none of your cfml code is there.

Erik's suggestion is a valid one, though it does not solve the problem of other developers who have access to cfml code you write seeing your password - if they can see cfml code, they can just as easily view the code in your Application.cfm/.cfc and see your password.  But in general, it is a valid practice to save mailserver authentication info in application-scope variables and use those in your code.

Azadi
0
 

Author Closing Comment

by:mrotstein
ID: 31583356
Thank you for your detailed response.  It was very helpful!  Yes, I was worried about other developers seeing my email login information.  I am setting up a separate account on the server for email.  That is a perfect solution!
Peg
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 19

Expert Comment

by:Jones911
ID: 24431739
Why don't you set the mail server, username and password in the ADMIN section ( /cfide/administrator ) then there is no need to put user names/passwords into code at all.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24431958
@Jones911:
isn't that a valid thing to do only when it is THE ONE AND ONLY mail server your applications running on this cf server may be using?
there's a setting in CF Admin for "backup mail servers"... but i am not quiet sure how that works... will the <cfmail> tag try to use the next defined mail server if sending mail through the default mail server fals due to invalid authentication?

Azadi
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24432135
@azadi
If you have shared hosting your point is valid but if you have full control of the server and a smtp mail server then I think I would prefer not to code usernames/passwords into code and simply use <cfmail to="" from="" subject="" type="">Mail Message</cfmail>

I guess I have always had full server control so it hasn't been an issue apart from one blog which I host on a shared server which does set usernames and passwords in a config file.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24432235
@Jones911:
yeah, that's what i thought...
but have you played with the "backup mail servers" setting in CF Admin? does it actually make <cfmail> tags try other mail servers listed in that "backup" textarea when authentication for the default mail server fails? or are those backup mail servers only used when there's no response from the main mail server?
just curious -i've never used that "backup mail servers" feature and have no idea what exactly it does and when those servers are used... any ideas?

Azadi
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24432624
@azadi

No I havn't but we have a script that moves mail from undeliverd to spool as now and then some email does fail to send.  Also we only have 1 smtp server but I'd think it would work like you say if it fails it woudl try on the second server.  I would like to try this out.
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 24433280
@Jones911:
interesting... just ran some quick tests...

i have defined a totally bogus mailserver as default mailserver in CF Admin.
then i specified a valid mailserver (with username and password) in the "backup mail server" field.
then i used a plain vanilla <cfmail> tag (without any username/password/server attributes in it, so it has to use the default mailserver set up in cf admin) to send an email, using a TOTALLY BOGUS email account in the FROM attribute, and... i DID recieve the email!

mind you, my thunderbird's junk/spam filter has automatically put in JUNK folder... but, nonetheless -> it looks like <cfmail> tag will try and use a mailserver from 'backup' list in case it can't send an email from default mailserver specified in cf admin, and NOT just when the default mailserver can't be reached, but EVEN if the default mail server does not exist at all (!).

that was an interesting experiment... now i actually know how the default and backup mailservers are used by cf.

Azadi
0
 
LVL 19

Expert Comment

by:Jones911
ID: 24433299
@Azadi  Nice thanks for reporting back your findings.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In our day to day coding, how many times have we come across a necessity to check whether a URL is a broken link or not? For those of you that answered countless and are using ColdFusion like myself, then this article is for you.  It will show yo…
Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question