secure email server / messaging system

I have an SSL account for my website. I have created a form on my website where our clients can send us a secure email through https. Is there an application, utility, coding or template where I could use my SSL website to send a client a secure message?

Something like: I send a client an email that states "You have a secure email at: barnwellmd.com/12345." The client clicks on barnwellmd.com/12345, enters a pre arranged password and can then view the message.

I don't want to have to set up a secure folder via .htaccess for each client.

I am familiar with websites that provide this service but would like to set it up on my website.

TIA
LVL 39
thenelsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
I would use a database to store the messages.  A simpler way that does not use 'htaccess' is to just make the code an query string like "http://barnwellmd.com/message.php?12345asdfgh1m2m3m" .  PHP and MySQL have no trouble using long codes to identify and access info.  You could also put the password in the database along with the message.
0
Ray PaseurCommented:
DaveBaldwin is on the right track here.  Couple of thoughts... Forget about email security, you do not have any and you never will.  Instead concentrate on web security.  Let your message be something like this:
You have a secure email at: https://barnwellmd.com?q=12345
In your index.php page you can detect the presence of a GET-method request with a q argument and respond by loading the page that finds message #12345.  The page will ask the client for the password, then upon authentication will display the message.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thenelsonAuthor Commented:
DaveBaldwin,

I only have a few dozen messages a month so I think setting up a MySQL database might be overkill. I like the get idea.

Ray_Paseur,

I can see how this would work. I create an array with message# => password. The php script requests the password then displays the message stored in a .htaccess protected folder. Sounds easy.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Ray PaseurCommented:
setting up a MySQL database might be overkill
ProTip: It's never overkill; it's how web sites work best!
0
Dave BaldwinFixer of ProblemsCommented:
Then you must not be used to using databases.  It would be far easier for me to use a database than to keep track of things the way you're describing.  I probably have 99% of the code already written that I could clone to do it.
0
thenelsonAuthor Commented:
I have started a php script so I can send an email as DaveBaldwin and Ray_Paseur suggested. The query string has the file name which is also the hashed password. I realize that the hashed password is now visible in an email and a clever person might figure out it is a hashed password but they would not know the formula I am using to create the hashed number.

I plan if the user enters the correct password, the script retrieves the file from a .htaccess protected folder and displays it.

Before I continue, I wanted to post the code I have so far and see if you all think it is reasonably secure. I will, of course, change the encryption formula before really using the script.

You can try the script by going to . The password for this would be "hello there".

DaveBaldwin,
Your example uses the query string:
?12345asdfgh1m2m3m
Can this be accessed with a get without the variable name and equal sign or was that an error?

Here is the code:
<?php
session_start(); 
//get file name
$_SESSION['filename'] = $_GET["q"];
//get hashed password

if (!empty($_POST))
// WE HAVE GOT SOMETHING IN $_POST - RUN THE ACTION SCRIPT
{
    // THERE IS POST DATA - PROCESS IT
	// ACTIVATE THESE TWO LINES TO SEE WHAT IS COMING THROUGH
    //echo "<pre>"; var_dump($_FILES); var_dump($_POST); echo "</pre>\n";	echo "filename: " . $_SESSION['filename']; echo "<br/>\n";
	echo  "password: ".$_POST["password"]."<br/>\nhashed password: ".encrypt($_POST["password"])."<br/>\n";
	$temp = explode(".", $_SESSION['filename']);
	if ($temp[0] != encrypt($_POST["password"])) 
	{
		post_password_form("Incorrect password - try again");
	}
	else
	{
		echo "correct password!";
	}
}
else
{
// IF THERE IS NOTHING IN $_POST, REQUEST THE PASSWORD
post_password_form("&nbsp;");
}

//function to create the password request webpage
function post_password_form($linetext)
{
?>
<body bgcolor="#F4F4F4">
<form method="post">
	<table style="width: 764px; height: 84px;" border="0" cellpadding="0" cellspacing="0">
		<tr valign="middle">
			<td style="width: 98px; vertical-align: middle;" background="img/toplogobg.jpg">
				<img src="img/No%20ouch%20transparent%20background.png" style="border: 0px solid ; width: 88px; height: 81px;" alt="">
			</td>
			<td style="font-weight: bold; width: 552px; vertical-align: middle;" background="img/toplogobg.jpg">
				<span style="color: white; font-style: italic;">
				<big>Jane
				Barnwell, MD</big><small><br>
				<br>
				</small>Manage the cause<br>
				to manage the pain.</span>
			</td>
		</tr>
		<tr>
			<td colspan="2" align="center"><font size="5">Secure messaging system</font></td>
		</tr>
		<tr>
			<td colspan="2" align="center"><b><font size="3" color="red"><?php echo $linetext; ?></font></b></td>
		</tr>
		<tr valign="middle">
			<td colspan="2" align="center">
				<big>Enter your password: &nbsp;</big>
				<input size="30" maxlength="30" name="password" type="password">
				&nbsp;&nbsp;
				<input value="Submit" type="submit">
			</td>
		</tr>

	</table>
</form>
</body>
<?php
}

//function to encrypt the password
function encrypt($value)
{
//place the encryption formula behind return
return md5(md5($value)+375896);
}

Open in new window

0
Dave BaldwinFixer of ProblemsCommented:
That was just a generic suggestion.  There are a lot of things you can do with the 'Rewrite Engine' in htaccess.

Other than that, I would not do what you are trying to do.
0
thenelsonAuthor Commented:
So you present to me several more questions:
I Googled "Rewrite Engine" and don't know much more about it than when you just mentioned it (which is nothing). What does the term "Rewrite Engine" have to do with my quesiton?

>I would not do what you are trying to do.
Why not?

>I would not do what you are trying to do.
What would you do and why would it be better?

I have frequently done things because I didn't know any better and when I got done have had more experienced people tell me that is really cleaver and nicely done..
0
Dave BaldwinFixer of ProblemsCommented:
"Rewrite Engine" is the 'engine' that rewrites URLs in Apache from one form to another, usually used in your '.htaccess' file.

I would put all the data, messages, and hashed passwords in a database.  Then send the user a message asking them to login in with their pre-arranged username and password.  A properly setup database will take care of the organization and be easily accessed with your code.  And it would relieve you of having "to set up a secure folder via .htaccess for each client".  Each message would occupy a single row in the database along with the password and whatever id code you required.  I would make the message id code as long as practical to minimize the chance of someone guessing it along with making the passwords strong.
0
thenelsonAuthor Commented:
I have expanded my script to display a text message, a pdf document or a Word document. . The script allows me to store all the messages/files in one secured folder - no need "to set up a secure folder via .htaccess for each client".
Here is a sample: https://barnwellmd.com/message.php?q=52089f67a82aac02efb603bab53c75de.txt
The password for the sample is "hello there".

I am planning to add code to the script that will allow me to create the message or upload a file which will then automatically store it and send a notification to the other person. Also a text box where the other person can send a secure reply.
0
thenelsonAuthor Commented:
DaveBaldwin,

>I probably have 99% of the code already written that I could clone to do it.
Would you be willing to share the code?
0
Dave BaldwinFixer of ProblemsCommented:
Well no because that would make me responsible for it and I don't have the time or interest.  There are a lot of scripts for similar things.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.