Sending e-mail out of client application without storing password
My Aim: Sending an email (e.g. support request, error report) out of a C# Windows forms application. I know how do do this technically but here is the catch:
In order to authenticate myself on the mail server (e.g. gmx, yahoo, own website) I need to store the login details inside the application (which runs on the client system). If someone extracts it or sniffs the network traffic he will have access to my email account. Maybe the second threat could be eliminated using a secure connection. However, it is still possible to get the password out of the application regardless if it is obfuscated or not.
So is there are 'secure' concept enabling me to send e-mail messages out of my program, which runs on the client pc without the need to store a password in accessible form and not requirering a special web service?
I had such a requirement in the past which we solved by using a web service to post messages.
If for example a user wanted to submit a bug report it would be turned into a web service call to our web server and it would then be forwarded accordingly.
To answer your question: There is no way you can hide you mail server. If your program can send emails, so can the user with another program. (the same goes for a web service.) What you can do is use an open smtp server (smtp relay) but that is just asking for trouble.
If you are sending a message to a domain that the mail server is the final destination for you do not need to authenticate the sender, you only need to do this when you are relaying mail to another domain.
You could allow email to only be sent by Active directory authenticated users. That would allow you to check that the user has a valid account and is in a valid group "domain\MyMailSendUsers" before your app is able to send the mail.
if you are using a local mail server it can also be configured to only allow connections from certain resources. If you are using mail from an external supplier (yahoo, google etc) then you are going to have to store the usernames and passwords, theres no real way around that other than asking users to type them in each time they want to send, you could then store them in a runtime variable (and encrypt it) to keep them secure.