Using database mail - risky

  • Is using database mail a risk, as you have to allow your smtp server to relay messages from your sql server. Is relaying of emails not risky as anyone who has access to that sql server would be able to send emails via a VIP personnel eg CEO

  • Only if your CEO has the right roles on SQL or knows of an account that does.

    To be able to send mail you need to be part of the DatabaseMailUserRole in MSDB or be a sysadmin.

  • The database mail system itself has proven itself to be quite reliable to me. We send lots of outgoing mail and it does a pretty good job. The only caveat is that you will need to have an archiving plan. If you don't have one now, you will eventually as your MSDB database grows. Here's the basics of how to create one: http://msdn.microsoft.com/en-us/library/ms189258.aspx.

    We've also sent outbound email using a profile/account where the email account also exists on our Exchange server. So when the recipients hit "Reply" the email is received by the Exchange server and routed to the proper mailbox.

    All in all, I think it works well.

  • relaying is sending emails to addresses that the SMTP server doesn't actually administrate itself.(ie gmail.com forwarding to yahoo.com)

    Also remember there are two kinds of relaying:

    anonymous relaying and relaying for an account that has a username and password on the server.

    most mail servers are set up to not allow anonymous relaying except when

    if the connecting IP address is coming from a "white list" of allowed IP's.

    otherwise, if you pass credentials,whether windows credentials or for a mailbox and password, the server is usually set up to relay/send your mail to addresses outside of the SMTP domain.

    So if you create a SQL server and setup database mail, 99% of the time, you just set up to use a specific windows user or a specific mailbox/password. there's no need to go to the SMTP server and make any changes, unless it blocks all traffic from non-white listed IP addresses. it's just not necessary to make changes int he standard security model .

    I've got a hosted server that allows realying only from the web server or the SQL server, but i still use AUTH with username and password anyway.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply