Qsorb
asked on
How secure is cfmail with username and password
To log into a remote mail server I need the username and password. Cfmail won't work correctly without it.
I'm sending 10 - 40 emails using cfmail daily. I am not using SSL and will not use it.
How secure is mail being sent this way? I don't want to compromise my email username and password by having someone sniff it out.
The best described answer gets the points.
I'm sending 10 - 40 emails using cfmail daily. I am not using SSL and will not use it.
How secure is mail being sent this way? I don't want to compromise my email username and password by having someone sniff it out.
The best described answer gets the points.
<cfmail
server="smtp.remoteserver.net"
port="587"
useTLS="true"
username="support@remoteserver.net"
password="mypassword"
from="support@remoteserver.net"
to="testaccount@remoteserver.net"
Subject="Test Mail"
its perfectly safe unless someone hacks your coldfusion server (highly unlikely) becuase those varaibles would never appear on any page you send. there being taken from the page your sending the email off of and are hidden to any view source procedures :)
if you are using tls & your code suggests you are, then you are fine (fine in the nothing is ever 100% kind of way)
In terms of cfmail, it operates pretty much as any email client. Many clients and many server setups don't support ssl or tls so cf is no better or worse.
In terms of cfmail, it operates pretty much as any email client. Many clients and many server setups don't support ssl or tls so cf is no better or worse.
plusone - couple of things, firstly it's not exactly highly -unlikely- that someone hacks a cf server - happens all the time. Just last year, there was a huge number of servers hit with a hack based on a vulnerablilty in the fckeditor that was bundled with CF. This was a total compromise attack. http://isc.sans.edu/diary.html?storyid=6715
But I don't think that's really the issue, if you are using an external mail server and Qsorb seems to indicate that with "smtp.remoteserver.net" then authentication will be sent in plain text unless the mail server supports ssl or tls, tls being the better option -and- you set cfmail to use it.
But I don't think that's really the issue, if you are using an external mail server and Qsorb seems to indicate that with "smtp.remoteserver.net" then authentication will be sent in plain text unless the mail server supports ssl or tls, tls being the better option -and- you set cfmail to use it.
ASKER
SidFishes:
I included tls but have no idea if comcastbiz.net email server supports it, or if I need get a digital certificate from somewhere to use it. But as you said, sounds good, if in fact stating to use it then automatically initializes it.
I included tls but have no idea if comcastbiz.net email server supports it, or if I need get a digital certificate from somewhere to use it. But as you said, sounds good, if in fact stating to use it then automatically initializes it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, that seems to be what I needed, and a good description too. Much thanks! I'll continue using it as it is.