How secure is cfmail with username and password

To log into a remote mail server I need the username and password. Cfmail won't work correctly without it.

I'm sending 10 - 40 emails using cfmail daily. I am not using SSL and will not use it.

How secure is mail being sent this way? I don't want to compromise my email username and password by having someone sniff it out.

The best described answer gets the points.
<cfmail
  server="smtp.remoteserver.net"
  port="587"
  useTLS="true"
  username="support@remoteserver.net"
  password="mypassword"
  from="support@remoteserver.net"
  to="testaccount@remoteserver.net"
  Subject="Test Mail"

Open in new window

QsorbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

plusone3055Commented:
its perfectly safe unless someone hacks your coldfusion server (highly unlikely) becuase those varaibles would never appear on any page you send. there being taken from the page your sending the email off of and are hidden to any view source procedures :)
SidFishesCommented:
if you are using tls & your code suggests you are, then you are fine (fine in the nothing is ever 100% kind of way)

In terms of cfmail, it operates pretty much as any email client. Many clients and many server setups don't support ssl or tls so cf is no better or worse.

SidFishesCommented:
plusone - couple of things, firstly it's not exactly highly -unlikely- that someone hacks a cf server - happens all the time. Just last year, there was a huge number of servers hit with a hack based on a vulnerablilty in the fckeditor that was bundled with CF. This was a total compromise attack. http://isc.sans.edu/diary.html?storyid=6715

But I don't think that's really the issue, if you are using an external mail server and Qsorb seems to indicate that with "smtp.remoteserver.net" then authentication will be sent in plain text unless the mail server supports ssl or tls, tls being the better option -and- you set cfmail to use it.



Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

QsorbAuthor Commented:
SidFishes:

I included tls but have no idea if comcastbiz.net email server supports it, or if I need get a digital certificate from somewhere to use it. But as you said, sounds good, if in fact stating to use it then automatically initializes it.
SidFishesCommented:
if you include the attribute useTLS and the server doesn't support it then the communication session will fail. Basically CF says I want to see a secure handshake - if the server says no way then cf says oh well - bye. You should not need a cert as that is a mail server side thing.

here's a quick read with a bit more info - it references secure email with gmail but the it's useful in any case

http://jamiekrug.com/blog/index.cfm/2009/2/13/cfmail-using-Gmail-SMTP

and this might be useful

http://maxprog.net/forum/viewtopic.php?f=5&t=3872

looks like comcastbiz does do tls on 587

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QsorbAuthor Commented:
Well, that seems to be what I needed, and a good description too. Much thanks! I'll continue using it as it is.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.