Open Email Relay Prevention Configuration

  • 16 February 2021
  • 0 replies
  • 47 views
M
Badge +3
 

Open Email Relay Prevention Configuration

KB003668

PRODUCT
K2 Five
BASED ON
K2 Five

Introduction

An open email relay risk was identified in the Send an e-mail rule action in SmartForms, which allows SmartForms runtime users to alter the From and To addresses in views and forms that use the action. In this article you will find guidance on best practices when using the send email function.

The preferred method of sending an email in a solution is to use the workflow Send Email step because the workflow loads the email addresses from Workflow Context fields and SmartObjects that are loaded server side which can’t be tampered with.

If you prefer using the Send an e-mail rule action in SmartForms, you can now configure the SmartForms web.config file to minimize the security risk of open email relay.

Use the guidance below to configure the SmartForms web.config file to prevent open email relay. If you use the Send an e-mail rule action in SmartForms and you don’t configure these settings, your solution is still at risk of open email relay.

Configure security settings

To minimize the risk of open email relay, you can configure one of the settings below. Add the preferred setting to the node in the Web.config files in the following locations:

"%ProgramFiles%K2K2 smartforms DesignerWeb.config"
"%ProgramFiles%K2K2 smartforms RuntimeWeb.config"

- When you save your changes in the Web.config file, Internet Information Services (IIS) automatically refreshes the IIS site. An IISReset is not required.
- We suggest you close and reopen your web browser after saving the configuration in the Web.config files to allow the application of your changes to your browser.
Setting Example Description
Enforce the From Address <add key="Forms.AppFramework.SendMail.EnforceFromAddress" value="true" /> Checks the From Address at runtime:
  • If the From Address is the default From Address in the environment library, no changes are made
  • If the From Address is the same as the current user’s From Address, no changes are made
  • If it is none of the above, it:
    • Changes the From Address to the current user’s email address
    • Logs a warning message in the log file here: C:DebugDebugout[DATE].csv
    Example in log file:
    19240i054D46670D6AA9C0.png
Disable Send an e-mail rule action <add key="Forms.AppFramework.SendMail.Disabled" value="true" /> Disables the Send an e-mail rule action:
  • The action is removed from the list of rule actions in K2 Designer
  • The action is not searchable in the list of rule actions in K2 Designer
  • All existing Send an e-mail rule actions are disabled and not executed at runtime
  • No errors are shown at runtime
  • If the rule action is configured before the disabled setting is configured in the Web.config file, a warning message is logged in the log file here: C:DebugDebugout[DATE].csv
    Example in log file:
    19239i797F07C54EAE345A.png
  • If a view or form was configured with the rule action before the disabled setting is configured in the Web.config file, and you edit the rule in the view or form, the action still shows as configured. You can edit or remove the action.

Enable logging and tracing

If you want to monitor the logs for events regarding these security settings, you can follow the steps below to enable logging and tracing.

  1. Create a debug folder called Debug here: "C:Debug”, and assign write permissions to the Application Pool Account on this folder.
  2. Edit the SmartForms Web.config file found here: "%ProgramFiles%K2K2 smartforms RuntimeWeb.config".
  3. Under <appSettings>, change the following values:
    19222iCC6A779B0B69045D.png
    19224i6A003CDED2A7AED2.png
    19225i20530A872CD901C6.png
    Setting New value
    Forms.Global.ErrorLogging.Enabled true
    Forms.Global.ErrorLogging.FirstChangeExceptions.Enabled true (uncomment the attribute)
    "TraceFilter" value="FormRuntime,Performance,PerformanceSummary" Uncomment the attribute
  4. Under <system.diagnostics>, change the following values:
    19226i235610A76E1475B7.png
    Setting New value
    EnableTracing true
    MessageTypeToTrace 4 (this can also be 3)

0 replies

Be the first to reply!

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings