tracker issue : CF-3369472

select a category, or use search below
(searches all categories and all time range)
Title:

CFMAIL Keep sessions alive

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Steven Weiner / Steven Weiner (Steven Weiner)

Created: 11/21/2012

Components: Net Protocols, MAIL

Versions: 9.0.1

Failure Type: Incorrect w/Workaround

Found In Build/Fixed In Build: 9.0.1 / CF11 Update5,CF10 Update16

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2008 Server x64

Vote Count: 2

Listed in the version 11.0.05.293506 Issues Fixed doc 
Problem Description:  when using CFMAIL and specifying an smtp server, username and password, the spool manager does not consider the username/password when the keep mail connection check box is checked in administrator.

Steps to Reproduce:  Setup 2 cfmail based on a query with 1000+ records.  set both cfmail tags to the same SMTP server, but use a different username/password for each...  example tag 1: smtp.gmail.com username: user1@gmail.com password:, tag2: smtp.gmail.com username: user2@gmail.com password:

Actual Result:  You will find that when "keep connection alive" is checked, it is entirely possible for emails from user2 to be sent through user1's account.

Expected Result:  User1's emails sent only through user1's account and user2's emails be send through their account.

Any Workarounds: in my DNS, I created a cname to point to my smtp server addresses so that both websites were looking at different domain names rather than the same one.  the unique domain name is enough to force coldfusion to create a new connection rather than use the same one.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3369472

External Customer Info:
External Company:  
External Customer Name: ifsteve
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

I host 2 different clients that both use Sendgrid.com for email relay. When I logged in to review activity I found that emails from client 1 were being sent through client 2's account. I double checked my code, and then contacted sendgrid who verified that client 1 and client 2 were both sending emails at approximately the same time, and that the client only authenticated once and was sending emails through the wrong account.
Comment by External U.
17151 | November 21, 2012 09:40:07 AM GMT
This bug impacts security. It inhibits Confidentiality, Integrity and Accountability when it comes to that security. It also could inhibit secure communications where content is encrypted based on one email address, but then sent out by another.
Vote by External U.
17155 | August 21, 2013 09:01:29 AM GMT
Just to clarify my workaround as I don;t think it has been explained properly. the issue is going to occur if multiple users/sites send mail through the same smtp server, e.g. smtp.gmail.com, so the workaround is to use a unique SMTP server. To do this simply create a DNS record using your own domain name which points to the SMTP server, this way you will not be using anyone else's existing connection. so in the case of gmail, create a CNAME record for smtp.yourdomain.com pointing at smtp.gmail.com
Comment by External U.
17152 | August 21, 2013 05:52:56 PM GMT
Presumably this issue has been around a long time, but probably only being noticed now as more people send mail through gmail
Vote by External U.
17156 | August 21, 2013 05:53:31 PM GMT
The fix for this bug is available in the pre-release build of ColdFusion 11 Update 5 and ColdFusion 10 Update 16
Comment by CFwatson U.
17153 | February 20, 2015 09:28:25 AM GMT
Verified this is fixed in CF11 Update 5 (build 11,0,05,293506). I did the steps in "Steps to Reproduce" exactly, w/ the "Maintain connection to mail server" setting enabled. In CF11 Update 4 (build 11,0,04,293328), 600 emails were sent thru user1 and 1400 emails were sent thru user2. In CF11 Update 5 (build 11,0,05,293506), 1000 emails were sent thru user1 and 1000 emails were sent thru user2. Thanks!, -Aaron
Comment by External U.
17154 | November 22, 2015 06:57:37 AM GMT