Solved

C# Programming and IIS security

Posted on 2010-09-14
5
290 Views
Last Modified: 2012-06-27
Hello All:

Our company is currently working on a website upgrade from the C# programmer who originally wrote the code.  In his 2nd version of the application; he has changed the authentication type (using Windows auth and tables with authentication data).  This application sends email to users in the organization and outside the organization.

Our IT consultant does not want us to use IIS on the in-house web server to pass email, as this could leave us vulnerable to spamming and eventually blacklisting.

Our C# programmer does not have the understanding of how to send the email outside of IIS.

Our hosted email company does support ASP mail with code so that we can use their servers to send email.  Our programmer does not know how to apply the code in order to avoid the IIS server sending the email.

Apologies if this is a vague question, but what we really need to assess is what road should we be heading down?

1. Should we be looking into keeping the emails passing through IIS and look into ways to secure the server from outside spamming?  Upside/downside of keeping email passing through IIS?

2. Should we be looking into finding another C# programmer who would need to learn this current application and then how to apply the ASP mail settings from our hosted email company? Should this be a specific skill set of a C# programmer, or should we be looking for other areas of expertise?

3. I should state that our email provider does not allow email with authentication.  We would really like to use them as we could more easily do message tracking through them should we have the need to troubleshoot mail issues in the future.  Is this relevant in our decision? Any drawbacks to using ASP mail in our application?

4. Is there a 3rd party application that we should be investigating?  Are there drawbacks?  Anyone have any recommendations/success stories?

Please let me know if there is more information needed.  I was sparing on specifics; as I think this is more a question of general best practices versus specific code.  But I can give details where needed.

Thank you in advance and while I don't expect the experts to train me; points will be awarded for those who can make important distinctions that are not within my skill set so we can move forward.

(75 points per question asked above)

Sincerely,
KLB
0
Comment
Question by:CPKGDevTeam
  • 3
  • 2
5 Comments
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 300 total points
ID: 33673427
1. While there is always some risk when a system is exposed to the outside world, I would fee comfortable with allowing the SMTP server on my IIS box to send the mails - properly setup & secured, and with a properly configured firewall device, this shouldn't really be an issue at all.  e.g. The SMTP server could be setup to only accept inbound SMTP connections from itself, thereby eliminating the possibility of someone else "hijacking" and using it to send SPAM.
2. Sending mail from a C# application is usually a very trivial task.  It's also easy to specify which server to send mail through, which means adapting it to use your e-mail providers SMTP server shouldn't be any trouble at all.
3. Can you send mail without authentication? Do they provide you with SMTP server addresses for your use?  "Our hosted email company does support ASP mail with code..." - do you mean your web hosting company, or your email hosting company?
4. I don't see any need for any third party application.
0
 

Author Comment

by:CPKGDevTeam
ID: 33673573
tgerbert:

Thank you for your answers. To clarify point #3; our hosted email provider (Intermedia) has given us code to use to send email using System.Web.Mail namespace.  We host our own website.

Below is Intermedia's C# example of System.Web.Mail.  Unfortunately, I do not know how this could be applied to our current C# application.  And it seems that neither does our C# programmer.

We use Intermedia for hosted email AND we have our DNS there as well (should that be a consideration).  And we cannot send email without authentication (when using pop); but the ASP mail was supposed to be a work around.  Am I misunderstanding the information I was given by Intermedia?

Thanks again,
KLB

The .NET framework allows us to send emails of both text and HTML formats using classes of the following namespaces:



System.Web.Mail (for ASP.NET 1.1)



To send mail using System.Web.Mail namespace you must use scriptmail.intermedia.net SMTP server. The below examples are written in C# and VBScript, they they will work on all our Windows 2000 and Windows 2003 servers.



C#



<%@ Import Namespace="System.Web.Mail"%> 

<script language="C#" Debug="true" runat="server"> 

    void Page_Load()

    {

            try 

            {

            MailMessage oMsg = new MailMessage();

            oMsg.From = "mailbox@yourdomain.com";

            oMsg.To = "recipient@theirdomain.com";

            oMsg.Subject = "Send Using Web Mail";

            oMsg.BodyFormat = MailFormat.Html;

            oMsg.Body = "<HTML><BODY><B>Hello World!</B></BODY></HTML>";

            SmtpMail.SmtpServer = "scriptmail.intermedia.net";

            SmtpMail.Send(oMsg);

            oMsg = null;

            }

            catch (Exception e)

            {

                Console.WriteLine("{0} Exception caught.", e);

            }

        }

</script>

Open in new window

0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 33673791
POP is for retrieving mail, SMTP is for sending. They're saying you can send mail using their SMTP server, which is scriptmail.internedia.net, and they have provided you with a very simple, very generic, example for illustrative purposes - you don't have to use their code (it's just a sample).  I would guess, however, that the SMTP server they've given you will only accept mail from their own web servers - which means such code would only work correctly if the website were hosted on one of Intermedia's servers, and not on your server.  Also possible, but less likely, is that the SMTP server requires a username & password, that Intermedia has provided to you, and will work with code running on any web server.
Don't you have POP and SMTP server addresses for your e-mail system?  You should be able to setup a username and password on your hosted e-mail system, and use those credentials for sending mail from your web application.
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 300 total points
ID: 33673872
Here's an example of sending mail with authentication...

// SMTP server address provided by intermedia,

// e.g. whatever you use to setup e-mail clients

string smtpServerAddress = "smtp.intermedia.net";



// E-mail username & password

string userName = "MyUserName";

string password = "secret";



// E-mail message details

string toAddress = "recipient@theirdomain.com";

string fromAddress = "sender@yourdomain.com";

string subject = "Test Message";

string body = "Hello World";



System.Net.Mail.SmtpClient smtpClient = new System.Net.Mail.SmtpClient(smtpServerAddress);

System.Net.Mail.MailMessage message = new System.Net.Mail.MailMessage(fromAddress, toAddress);



smtpClient.UseDefaultCredentials = false;

smtpClient.Credentials = new System.Net.NetworkCredential(userName, password);



message.Body = body;

message.IsBodyHtml = false;

message.Subject = subject;



smtpClient.Send(message);

Open in new window

0
 

Author Closing Comment

by:CPKGDevTeam
ID: 33673901
Thanks again to the community.

I am much closer now to getting all parties working together in order to go live.

Much appreciation.

KLB
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now