In a recent post I described how easy it was to turn your website into a spamming tool provided you know how to change some IIS settings. In a comment Dennis wrote “Some things are so simple, you’d expect everyone to know these things and use them wisely. Unfortunatly,.“ Yes both coding and setup on itself are easy but the two parts are usually handled by different people. The developer is writing the code and the ITpro guy does the configuration. And these people have different cultures. Most of us developers are used to working with database connection strings like “.. user=sa;pwd=” and we are unpleasantly surprised by some service being refused. These days with more and more systems being “secure by default” it’s time we grow up and start displaying some real interest in configuration matters.
The big hurdle to take is communication. Developers and IT pro’s speak different languages. On the developers side the framework docs don’t help, there are loads of samples, there is the SmtpPermission class but not a word on server configuration. No bridge to the world of ITpro. All you get is the exception which talks about relaying. And when you look up relay in the docs you’ll end up in SOAPheaders documentation. That doesn’t help either.
These settings are used by all smtpclients in your app. Including things like the password-recovery control which send a user a lost password. My code example can now even be simpler
private static void SendMailWithIIS(string subject, string body, string to)
MailMessage message = new MailMessage();
message.Subject = subject;
message.Body = body;
message.BodyEncoding = System.Text.Encoding.ASCII;
message.IsBodyHtml = true;
message.Priority = MailPriority.Normal;
SmtpClient smtp = new SmtpClient();
The app will be easier to maintain as well. The ITpro guy can jump straight to the system.net settings in the web.config. No need to ask which appsetting holds the name of the mailserver. One reason less to talk ? Which would be a pity. We developers have to learn to live and write software in a restricted world and have to learn how to setup a real world development machine. ITpro’s can learn a lot from developers as well, but that’s a different subject.