Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Elias Lundmark
Dec 1, 2020
  5815
(2 votes)

SMTP Authentication Changes in DXP

The provider for SMTP services and transactional e-mails in DXP are making some changes around authentication methods during this quarter. The changes will move away from basic authentication with username and password, and instead use API keys for authentication.

 

So what does this mean for you? 

If you are using the SMTP service that is a part of DXP, you will need to make some modifications to your <smtp> section in the web configuration file. Start by navigating to the management portal - within your DXP project and the “API” tab you will now find an option to generate API keys. 

After generating an API key (it’s only viewable directly after creation, so save it), grab the username and hostname as well from the management portal. You’re then ready to modify configuration in your deployment packages. 

<configuration>
    <system.net>
      <mailSettings>
        <smtp from="yourdefaultreply@address.com">
          <network
            host="smtp.sendgrid.net"
            password="[API key generated in management portal]"
            userName="apikey"
            port="[587, 465, 25 or 2525]" />
        </smtp>
      </mailSettings>
    </system.net>
</configuration>

And that’s it, you’re all set to deploy to your environments in DXP. Sendgrid does have a hard deadline of January 20th where they will stop supporting basic authentication. If you are currently using basic authentication and cannot make the changes ahead of the deadline, we will run a migration close to the deadline to do this automatically and transform configuration files, but note that we will block any deployments after this migration if we notice that basic authentication is used. This is to ensure that transactional e-mails keep working as expected. 

We apologize for the late heads-up for this and our aim is to make this transition as smooth as possible. Thank you for your patience and understanding.

Best regards, 
Elias Lundmark 
Product Manager, Cloud Services 

Dec 01, 2020

Comments

Scott Reed
Scott Reed Dec 2, 2020 12:21 PM

Although these are tagged as DXP Blog posts world could really do with an offical platform changes feed that we could keep track on. I woud hope notification of these sorts of things would be set to clients/agencies as well directly but I've not seen an communcation.

Joshua Folkerts
Joshua Folkerts Dec 9, 2020 12:18 AM

It appears this works outside of dxp enviroments.  as soon as the credentials are used in a dxp enviroment, it does not send.  Is this by default?

Elias Lundmark
Elias Lundmark Dec 9, 2020 10:18 AM

@Scott, thanks for the feedback! There is definitely room for improvement in our communications with things like these. For now, you can subscribe to our status page at https://status.episerver.com/ to get notifications - ideally we'd have something similar through the paasportal down the line.

@Joshua, I can't really tell why that behavior is. I'd recommend reaching out to our support for technical assistance https://support.episerver.com/hc/en-us

Joshua Folkerts
Joshua Folkerts Dec 9, 2020 01:27 PM

For sure.  I did.  On that note.  Thanks for keeping us posted and appreciate all the work you guys put in to make the product more self sufficiant.  

Scott Reed
Scott Reed Dec 9, 2020 03:28 PM

Thanks I must of missed this on the status update. To be honest I wasn't expecting it there, I thought it would be notified in a different way rather than through maintenance updates. 

Mike Malloy
Mike Malloy Dec 9, 2020 07:02 PM

After you click 'Generate API Key', make sure you click 'Copy API Key' in the menu, the entire key is not shown.

James Wilkinson
James Wilkinson Dec 10, 2020 04:21 PM

Thanks for the heads up.

Agreed on the communications front - I think there also needs to be some stronger communication around prouct updates that fix critical vulnerabilities too. 

Vahid
Vahid Jan 7, 2021 12:06 AM

Does it means after Jan 21th the email sending via user/pass authentication mode won't send?

Vahid
Vahid Jan 7, 2021 06:57 AM

"if you are currently using basic authentication and cannot make the changes ahead of the deadline, we will run a migration close to the deadline to do this automatically and transform configuration files, but note that we will block any deployments after this migration if we notice that basic authentication is used. This is to ensure that transactional e-mails keep working as expected. "

as per this comment, if we couldn't do the deployment by Jan 20th, it means that Epi will update the config file with api key and it won't block the email sending functionality on our websites? Just any othe deployment will be block though?

Anders Wahlqvist
Anders Wahlqvist Jan 7, 2021 08:39 AM

@Vahid: You're correct. User/Pass authentication will be disabled by SendGrid on the 20th of January. If you haven't migrated your site before then, we will go ahead and update the configuration for you automatically. If we then detect that a new deployment is happening to that site using a username/password, the deployment will be blocked to ensure e-mails work as expected from the site.

Please login to comment.
Latest blogs
Join the Work Smarter Webinar: Working with the Power of Configured Commerce (B2B) Customer Segmentation December 7th

Join this webinar and learn about customer segmentation – how to best utilize it, how to use personalization to differentiate segmentation and how...

Karen McDougall | Dec 1, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Creating Content Pages

The blog post discusses the creation of additional page types with Next.js and Optimizely SaaS Core. It provides a step-by-step guide on how to...

Francisco Quintanilla | Dec 1, 2023 | Syndicated blog

Stop Managing Humans in Your CMS

Too many times, a content management system becomes a people management system. Meaning, an organization uses the CMS to manage all the information...

Deane Barker | Nov 30, 2023

A day in the life of an Optimizely Developer - Optimizely CMS 12: The advantages and considerations when exploring an upgrade

GRAHAM CARR - LEAD .NET DEVELOPER, 28 Nov 2023 In 2022, Optimizely released CMS 12 as part of its ongoing evolution of the platform to help provide...

Graham Carr | Nov 28, 2023

A day in the life of an Optimizely Developer - OptiUKNorth Meetup January 2024

It's time for another UK North Optimizely meet up! After the success of the last one, Ibrar Hussain (26) and Paul Gruffydd (Kin + Carta) will be...

Graham Carr | Nov 28, 2023

Publish content to Optimizely CMS using a custom GPT from OpenAI 🤖

Do you find the traditional editor interface complicated and cluttered? Would you like an editorial AI assistant you can chat with? You can!

Tomas Hensrud Gulla | Nov 28, 2023 | Syndicated blog