如何安全地存储和设置SmtpClient类使用的密码? [英] How do I securely store and set password for use by SmtpClient class?

问题描述

我正在编写一个需要发送SMTP电子邮件的C#类.我在这个问题中找到了代码，这给了我发送电子邮件 )

I am writing a C# class that needs to send SMTP emails. I found code in this SO question which gave me what I needed to send the email (SO Question)

为方便起见，这是我正在从 answer 修改上述问题的代码:

For convenience, here is the code I am modifying from an answer to the above question:

using System.Net;
using System.Net.Mail;

var fromAddress = new MailAddress("from@gmail.com", "From Name");
var toAddress = new MailAddress("to@example.com", "To Name");
const string fromPassword = "fromPassword";
const string subject = "Subject";
const string body = "Body";

var smtp = new SmtpClient
           {
               Host = "smtp.gmail.com",
               Port = 587,
               EnableSsl = true,
               DeliveryMethod = SmtpDeliveryMethod.Network,
               UseDefaultCredentials = false,
               Credentials = new NetworkCredential(fromAddress.Address, fromPassword)
           };
using (var message = new MailMessage(fromAddress, toAddress)
                     {
                         Subject = subject,
                         Body = body
                     })
{
    smtp.Send(message);
}

我遇到的问题是该问题中的代码要求将smtp密码存储在纯文本C#源文件中.问题之一是该代码将签入到团队基础服务中，因此整个团队将不得不/必须了解凭据.问题二是混淆是可能的，但不能解决问题一.

The problem I have is that the code in that question requires the smtp password to be stored in the plain-text C# source file. Problem one is that this code will be checked in to team foundation service so the whole team would have to/get to know the credentials. Problem two is that obfuscation is possible but it doesn't fix problem 1.

我发现最接近的解决方案是对应用程序配置进行加密，作为安装步骤.这无法解决问题1，但如有必要，可以解决.

The closest to a solution i have found is encryption of an app config as an installation step. This doesn't get around problem 1 but if necessary can be done.

这种情况是否会出现在生产应用程序中，以及使用什么最佳实践来存储实例化C#类所需的密码?

Does this situation come up in production applications, and what best practices are used to store passwords needed to instantiate C# classes?

推荐答案

我们使用构建服务器TeamCity解决了此问题.构建系统包含生产机密(密码，API密钥等)，只能由几个受信任的个人设置.然后，我们的构建系统负责使用脚本和/或密码构建参数在编译之前/之后更改配置(和其他敏感)文件.

We solve this issue using our build server, TeamCity. The build system contains production secrets (passwords, API Keys, etc), which can only be set up by a few trusted individuals. Our build system is then responsible for altering the configuration (and other sensitive) files just before/after compilation using scripts and/or Password Build Parameters.

这使我们有更多的时间来提交机密信息的阶段/测试值，但知道生产版本将获得生产机密. App/Web.Config转换可以处理URL切换(dev/qa/stage/prod)，因此我们永远只将构建服务器用于不需要包含在源代码管理中的部分.

This frees us up to commit staging/test values for our secrets, but know that production builds will get production secrets. App/Web.Config transforms can take care of URL switching (dev/qa/stage/prod), so we only use the build server for the parts that we don't want included in source control, ever.

这篇关于如何安全地存储和设置SmtpClient类使用的密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！