i'm having an issue with my ps1 script to send mails. The problem, I have to send this script to multiple users and I dont want them to read my smtp credentials from the mail sender, is there any way to encrypt or hide the password line only, and still can be executed?
$Username = "test"
$EmailPassword = "jlkajdksajeqw"
$Attachment= "c:\validacion.zip"
$EmailTo = ("seleccionestmk#gmail.com")
$EmailFrom = "seleccionestmk#telemercado.com.ar"
$Subject = "Validacion BPC"
$Body= "Validacion realizada, dentro del archivo zip, se encuentran los datos necesarios para aprobar o denegar la validacion. Saludos"
$SMTPServer = "mail.telemercado.com.ar"
$SMTPMessage = New-Object System.Net.Mail.MailMessage($EmailFrom, $EmailTo, $Subject, $Body)
$Attachment = New-Object System.Net.Mail.Attachment($Attachment)
$SMTPMessage.Attachments.Add($Attachment)
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SmtpClient.UseDefaultCredentials = $false
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential($Username, $EmailPassword)
$SMTPClient.Send($SMTPMessage)
If you encrypt the sensitive values somehow then the receiver of the script needs the decryption key in order to read the sensitive values to run the script.
You could run some kind of obfuscation software over your script to make it harder for the receiver of the script to extract the sensitive values, but you can never prevent such an extraction.
The best way would be to re-engineer the system in such a way that giving the credentials to the users is not an issue. For example, scope the email account from which emails are sent in such a way that it is used only for this one use case and all the users that you give the script to are also supposed to use it as such. If you're using the email account for other things then move them to a different account with different credentials.
Another way would be to create a server endpoint which validates the personalized credentials of the users (you need to give each user their own credentials) that you gave the script to and stores the credentials for the email account only on the server. The server would need to validate the fields that they conform to the way this email account should be used.
Related
When I first created this Classic ASP script, with the help of W3Schools, to send email, it worked fine. Now I'm having issues with sending the actual email; it appears to hang on the .Send method.
I noticed that when I set the To and From email address to just the email address, it reformats it to a "Friendly Name"/Email Address format:
myMail.From="Support#myDomain.com"
Response.Write myMail.From
The output of the Response Write is:
"Support#myDomain.com" <Support#myDomain.com>
I don't know if this was happening before, or if I should be setting the To and From fields in this format. Just to check if this is causing my problem, is there anyway to prevent these fields from being changed from just the email address?
Maybe the e-mail sending from the server now needs some kind of authentication such as setting these fields:
' Outgoing SMTP server.
objCDO.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.mydomain.com"
objCDO.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objCDO.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objCDO.Configuration.Fields("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
' Type of authentication, 0=NONE, 1-Basic (Base64 encoded), and 2=NTLM.
objCDO.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
' UserID on the SMTP server
objCDO.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "support#mydomain.com"
' Password on the SMTP server
objCDO.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "myemailpassword"
' Update config.
objCDO.Configuration.Fields.Update
The issue stemmed from the fact that the "From" email address was actually a distribution list and the account credentials used to login to the email server were not authorized to "Send As". Once that was rectified emails sent without further problems.
Thanks for the response.
I'd like to revisit an old SO question about passwords. Like the OP, I don't want to enter my password interactively, but I am confused about how to store the password securely on my machine and share scripts with colleagues (and I'd add specifically, push scripts to GitHub). The accepted answer involves storing the password in .Rprofile, but one commenter suggests that this is not a good idea.
In my specific use case, I have a script that runs every day on a virtual machine that I want other members of my team to access. At the end of the run, it sends an email with the mailR package. This code looks for my gmail password. I've set up 2-step authentication, so mypassword is a third-party password, not my actual gmail password. Still, I am hesitant to share this with others. I'd like to be able to push the script to a private git repo.
send.mail(from = "myemail#gmail.com",
to = tolist,
subject = "my subject",
body = "my message",
smtp = list(host.name = "smtp.gmail.com", port = 465,
user.name = "myusername",
passwd = "mypassword",
ssl = TRUE),
authenticate = TRUE,
html = FALSE,
send = TRUE)
How would you store mypassword?
Storing it in .Rprofile seems to be an option, but I don't know if there are downsides like the one mentioned in response to the accepted answer in the question I linked to.
I could store it in another file like auth.R and run source('auth.R') before send.mail, but this would put the password in the global environment.
Other ideas?
We have a domain name "www.mycloudcctv.com" at godaddy.com and we have created a sub domain cam.mycloudcctv.com which points to 212.78.237.157
We have an application running on third party server (212.78.237.157). This application wants to send an email on our behalf using the email address “alerts# mycloudcctv.com ". Following code snippet (ASP.NET) is being used to send the email from (212.78.237.157)
var mailClient = new SmtpClient();
mailClient.Credentials = new NetworkCredential { UserName = "alerts#mycloudcctv.com", Password = "xyz" };
mailClient.Port = 25;
mailClient.Host = "smtpout.secureserver.net";
mailClient.EnableSsl = false;
var mail = new MailMessage("alerts#mycloudcctv.com", "azharmalik3#hotmail.com", "Test Smtp server", "Testing mycloudcctv server") { IsBodyHtml = true };
//Now Send the message
mailClient.Send(mail);
Everything works fine and emails are being sent however they end up in SPAM/JUNK folders of gmail/hotmail/yahoo. Could you please provide us necessary information so that our emails go to inbox instead of spam folders?
this is a BIG question with lots of complex issues, but it really boils down to three main areas:
Does the email come from a server which has be delegated the authority to deliver emails for the specified domain?
Is the content of the email just hyperlinks and does it contain text which would trigger spam assassin to mark as spam.
Is your server blacklisted for spam
For point 1 look into how to setup SPF records for send authority. http://www.mydigitallife.info/how-to-set-up-and-create-sender-policy-framework-spf-domain-dns-txt-record-with-wizard/
For point 2 get a copy of spam assassin and run your emails through it to see the score.
http://spamassassin.apache.org/
For point 3 http://whatismyipaddress.com/blacklist-check
This is not that easy. There are fair few things you have to do. For example SendGrid has some guidelines:
http://support.sendgrid.com/entries/21194967-deliverability-101
I found this blog-posting extremely useful! Give it a good read, it covers a lot of the points already mentioned here thus far:
http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html
I'd like to e-mail all my users a link to a symfony site that I am writing, and have it so that when they follow that link they are logged in to the site (probably with a special role, like IS_AUTHENTICATED_REMEMBERED), and redirected to a certain page. How can I do this?
So the link would be something like:
http://example.com/?key=[some sort secret key with their account encoded in it]
i'd do something like this: generate the key with a hash function over the username.
Then send them a link to http://example.com/?user=username&hash=the-hash-result.
In the action that will recieve this url you can get the request parameter username and hash, apply the same hash funcion to the username you recived and compare the result to the hash key in the request parameters.
If match, just set the appropiate credentials to the user and log him in
Lets see some code, in your authentication class you should have a function to authenticate a user with the $user and $password parameters. Here or extending this class you can define a funciton like this:
function authenticate($user,$hash-key){
if(hashFunction($user) == $hash-key){
$user->setAuthFunction(true);//sort of
}
}
Hope it helped you!
Not so easy to implement I can tell you but you got to take a look to the UsernamePasswordFormAuthenticationListener::attemptAuthentication method...
Make your own service to atteptAuthentication automaticaly.
Inspired by this message and this code, I wrote a controller that gets the user from the database, verifies the secret key, then fakes a login token as follows:
$providerKey = 'secured_area'; // Name of firewall from security.yml - not sure this is correct.
$token = new UsernamePasswordToken($user, null, $providerKey, array('AUTO_LOGIN'));
$this->container->get('security.context')->setToken($token);
(you need this at the top of your file)
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
It seems to work, and the user has a role of AUTO_LOGIN so I can easily restrict them from accessing more sensitive stuff until they have logged in with a username and password as normal.
I have a question about how to use md5 and a salt to secure a password, I have already made many searches for answers to my questions.
An article I saw was using c# to convert password to md5 string, something like this:
public static string md5(string <b>sPassword</b>)
{
System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] bs = System.Text.Encoding.UTF8.GetBytes(sPassword);
bs = x.ComputeHash(bs);
System.Text.StringBuilder s = new System.Text.StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
My question is the above code seems server side is its mean password traveling over internet in plain text doesn't it create any security issue or it does not matter i don't know (may be i am getting it wrong way or i am not clear about password security concept) ?
What i have done in my project is i am creating a secure password at client side with java script md5.js file and with user's entered password before posting login.aspx form back to server then at server side i am fetching hashed password of user from database(which was stored at the time of registration of user with same technique) and match both client side and server side hashed passwords if they match user authenticated.
i don't know weather i am doing it right way or not please let me know right way if i am wrong .
Now the problem is i want to use SALT with the md5 (md5+salt) to make password more secure with Randomly generated salt string. how to do this should i make a random salt string at server side while page_load of login page and then send it to client side and at client mix this salt with user password before posting form. after post again mix the password(fetched from database) with same random string and match both password to authenticate.
One more question, at the time of registration of a new user, where should originally user entered password convert in md5 at client side or server side if at server side then password should post to server as it is means original password.(like "MyPassword")
Firstly you should be aware that SHA1 is now industry standard, but it's still fine to use Md5 for most things.
Secondly to stop plain text transmitting over the public network, use an HTTPS connection (you may need to purchase a certificate from a recognised vendor).
Also if this is for a user system, consider using ASP.net's membership system. It does this all for you and has been extensively reviewed.
The basic flow of what you describe anyway would be:
User enters password
Server generates random salt
Hashed password = md5(salt + raw password)
Store hashed password and salt along side username, dispose of raw
When user logs in, find the associated salt with the username login is being attempted for.
Is password valid = does md5(salt + entered password) = store hash?
If they do, login
Once they have logged in, it might be a good idea also to regenerate a new salt and hash. Also the md5() should be applied to the password thousands of times before storing to make a dictionary attack uneconomical.
There are plenty of resources out there that go into this in more detail.
Good luck!