Forums

I’d like to know if is possible send the form content with an ecrypted email to a specific address.
The address has a personal certificate. The "from" address may have a similar certificate too.

Hi Mat,

Probably, but there isn't enough information on that page to give you any better answer. We'd need to know what needs to be added to or done to the email to encrypt and certify it.

Bob

Probably, but there isn't enough information on that page to give you any better answer. We'd need to know what needs to be added to or done to the email to encrypt and certify it.

Thanks for your answer.
I don’t know what to explain because I’m not familiar with mail certificates. So I try to explain the situation.
The site has a SSL certificate (RapidSSL from Geotrust) to give a secure accesso to the backend so my customer can get ChronoForms results.
Now we use a simple email notification to the customer that tells “Hey, somebody has sent a new form!”. The customer say: «I don’t want to access to the site everytime, send me the form data via mail».
The problem is that some field may be medical or personal informations and using a standard email is non a good idea (and is punishable here in Italy). So I thinked to a mail certificate, but I don’t know how to install (and if I need or can install on the hosting server) and what is required to the mail function in ChronoForms.
Another solution may be a password encrypted attachment to the mail notification and once received che customer may manually insert the password.

Hi Mat,

Sorry, but the answer is still the same. It's probably possible, specify what you want to do and we can give you a better answer.

I simply don't have the time to go research email encryption for you.

Bob

Hi Mat & Bob,
Most servers these days should come with OpenSSL installed, which is what we need for the encryption.
Next, due to the way pki (public key interchange) works, the recipient needs a signed certificate (public key) made available to the mailer (your server), and a private key on his/her email client. The Personal E-mail Certificate you mentioned in your first post should cover this, as long as it's your client's certificate.

So, what to do next;
Well, CF does not support generating S/MIME (pkcs7) email, so you'll either have to edit that part of CF, or do the emailing manually in the "on submit - after email" box (don't worry 'bout the name, it'll be run even though we disable the builtin email in CF). I'll take the second approach for this, as rewriting CF itself would probably be a more challenging task...

First off, we need the signed certificate uploaded on the server (we could also store this in the form code itself, but lets keep the code tidy for now...). We'll call it 'client_email_cert.x509'.

<?
$key = file_get_contents('client_email_cert.x509');
?>

Since we're not using CF email, we also need to generate a message:

<?
$msg = "Hello Client,
There's been a new submission to our form, the details are as follows:

Name: " . JRequest::getString('name') . "
Email: " . JRequest::getString('email') . "

Have a nice day.";
?>

In the code above, we use JRequest::getString() to get the submitted data and insert them into our message.

Now, we get to the funny part of actually creating the crypted message:

<?
//we've got our key in $key, and message in $msg..
$parm = array(
  'To' => 'yourclient@somesite.it',
  'From' => 'Yoursite <webmaster@yoursite.it',
  'Subject' => 'Submitted form data'
);

//Create a file to hold our original message and our encrypted message:
$config = JFactory::getConfig();

$orig = $config->getValue('config.tmp_path').DS.uniqid('txt');
$crypt = $config->getValue('config.tmp_path').DS.uniqid('enc');

$fd = fopen($orig, "w");
fwrite($fd, $msg);
fclose($fd);

if (openssl_pkcs7_encrypt($orig, $crypt, $key, $parm, PKCS7_TEXT, OPENSSL_CIPHER_RC2_128))
{
  //Encryption successful, proceed to send the email:
  //Unfortunately, the PHPMailer used by Joomla is too limited to allow us to do this in Joom-space..
  //and using the mail() function rendered issues with reading the From: header... so we'll go for sendmail here...
  exec(ini_get("sendmail_path") . " < " . $crypt);

  //And remove the original and encrypted files from the filesystem, just to make sure noone finds them.
  unlink($crypt);
}
unlink($orig);
?>

As mentioned in the comments, I've ended up manually calling sendmail. This might not be supported on all systems, in which case you'll probably have to use some smpt-mailer or pray the mail() command will work. We cannot use the JMail class in joom-space, as this will override a few important headers we need to inform the mail client that it's an encrypted email.

/Fredrik

So, what to do next[…]

Thank you Fredrik for your complete answer, but my costomer has just rejected the little additional fee (1 our of work esitmated) for implementing and testing the encryption.😢
So I’ll try this solution for my knowledge when I’ll have some free time.

Hi
I have got the same problem here (need to send a encrypted email from a ChronoForms Form) and I just cant'find a solution.
Has anything changed in CF or Joomla-Mailing or the combination of the two since 2009?
Thank you for every help or hint!

Hi saber.

Nothing significant has changed that I can think of. But I know next to nothing about email encryption :-(

Bob

Thank you GreyHead
I hope someone out there can help me with this.
I tried to use "Net/SMTP.php" in combination with CF, no success, only some error messages😟

Hi saber,
It's hard to suggest what went wrong without even seing the errors you've got.
The code does rely on the availability of the sendmail binary, though I guess it would be possible to use the Net_SMTP pear package, though I have not tried this myself. It also assumes that the config.tmp_path setting points to a writable directory (used for temporary files). Other than that, the only further requirement is the OpenSSL php libraries, and a proper keypair.

/Fredrik

Hi Fredrik
Thank you for your reply.
I have got a GeoTrust Global CA (RapidSSL CA), so the form is on a https site.
I have got no Personal E-mail Certificate, but according to the provider, I should be able to send encrypted emails using Net-SMTP. Unfortunately they don't provide any further support for programmers.
A test file (anywhere) on the Server seems to work properly:
<?php
require 'Net/SMTP.php';
$from = [email]'user@example.com[/email]';
$rcpt = array([email]'test@test.ch[/email]');
$subj = "Subject: Test Message\n";
$body = "Body Line 1\nBody Line 2";
...
?>
So in the form I set "Email the results ?" to NO and copied the code into the "On Submit code - after sending email:"-field.
Unfortunately, the path to Net/SMTP.php is wrong now, and I can't figure out how to set the correct path (without "/home/httpd/vhosts/orthopunkt.ch/httpdocs/...").

Here is what I get:
Warning: require(Net/SMTP.php) [function.require]: failed to open stream: No such file or directory in /home/httpd/vhosts/orthopunkt.ch/httpdocs/components/com_chronocontact/libraries/customcode.php(51) : eval()'d code on line 3

Fatal error: require() [function.require]: Failed opening required 'Net/SMTP.php' (include_path='.:/usr/share/pear:/usr/share/php') in /home/httpd/vhosts/orthopunkt.ch/httpdocs/components/com_chronocontact/libraries/customcode.php(51) : eval()'d code on line 3

I am not familiar with SSL and mail encryption, so I do everything in "blind flight"...
If you are interested - this is my test-form: https://www.orthopunkt.ch/onlineauftragssl
Thank you for your help!

Hi saber,

You can set a path relative to the site root with

require(JPATH_SITE.DS."Net".DS."SMTP.php");

Bob

Hi GreyHead

Can I copy your code as it is?
I still get these errors:

Warning: require() [function.require]: Unable to access /home/httpd/vhosts/orthopunkt.ch/httpdocs/Net/SMTP.php in /home/httpd/vhosts/orthopunkt.ch/httpdocs/components/com_chronocontact/libraries/customcode.php(51) : eval()'d code on line 2

Warning: require(/home/httpd/vhosts/orthopunkt.ch/httpdocs/Net/SMTP.php) [function.require]: failed to open stream: No such file or directory in /home/httpd/vhosts/orthopunkt.ch/httpdocs/components/com_chronocontact/libraries/customcode.php(51) : eval()'d code on line 2

Fatal error: require() [function.require]: Failed opening required '/home/httpd/vhosts/orthopunkt.ch/httpdocs/Net/SMTP.php' (include_path='.:/usr/share/pear:/usr/share/php') in /home/httpd/vhosts/orthopunkt.ch/httpdocs/components/com_chronocontact/libraries/customcode.php(51) : eval()'d code on line 2

Hi saber,

Looks as though the file isn't there either. Exactly where have you put it?

Bob

I did not put the file anywhere, is installed on the webserver, but not in the folder httpdocs as the Joomla installation, but somewhere like /usr/share/pear (I guess).
My test.php-file works fine and has no problem with "require 'Net/SMTP.php'", even if I move it to different locations on the server, like components/chronoforms/... I don't have to change the path - it just works. But - unfortunately - not when called from the form.
As already mentioned - I am absolutely not familiar with Net_SMTP...

Hi Saber,
First of all, using the "Secure connection" (SSL) option of Net_SMPT will not encrypt your email, it will simply encrypt the connection between the web server running the script, and the email server. Once it has been delivered to the email server, it will once again be plaintext. There is also no guarantee that this mailserver will use SSL when relaying the email further to the recipient's email server.

Next, the error messages indicate that the include_path setting is unaltered, so php really should be able to find the file if it's located at /usr/share/pear/Net/SMTP.php. The eval() call done by ChronoForms should'nt matter, though you could try adding the include/require-command to the top of the chronocontact.php-file, making it available throughout all of ChronoForms...

/Fredrik

Hi Fredrik
So, the email is not encrypted and I don't manage to get rid of the error messages with the include/require-command...😟

Is it possible to send a encrypted email from a ChronoForm form at all ?
If yes - what exactly do I need and what do I have to do to make it work?
If no - what do you recommend - or, what would you do in my situation (a "critical" form on a Joomla-website)?
Thank you!

Hi Saber,
That would be a conditional yes; provided that the openssl components of PHP are installed. There also needs to be some facility to send the email without mangling the email headers; This rules out the JMail class in Joomla, and is the reason I opted for using the sendmail binary. I've seen a few solutions that allows the use of the php mail() command:

<?php
$key = file_get_contents('client_email_cert.x509');

$msg = "Hello Client, Content will follow...";
$to = 'yourclient@example.com';
$subject = 'Submitted form data';

$headers = array(
  'To' => $to,
  'From' => 'Yoursite <webmaster@yoursite.it',
  'Subject' => $subject
);

//Create a file to hold our original message and our encrypted message:
//Use the tmp_path setting from configuration.php..
$config = JFactory::getConfig();

$orig = $config->getValue('config.tmp_path').DS.uniqid('txt');
$crypt = $config->getValue('config.tmp_path').DS.uniqid('enc');

//Write the email to the temporary file..
file_put_contents($orig, $msg);
//...and encrypt it using the public key:
if (openssl_pkcs7_encrypt($orig, $crypt, $key, $parm, PKCS7_TEXT, OPENSSL_CIPHER_RC2_128))
{
  //Load the encrypted data from the temporary file, and extract headers and message
  $data = file_get_contents($crypt);
  $parts = explode("\n\n", $data, 2);

  //Then send them off to the email system..
  mail($to, $subject, $parts[1], $parts[0]);
  //And remove the original and encrypted files from the filesystem, just to make sure noone finds them.
  unlink($crypt);
}
unlink($orig);
?>

If you lack a certificate/keypair for the encryption/decryption, these can also be created using the openssl components. You'll find some details on how to do this using php here: http://se.php.net/manual/en/function.openssl-csr-new.php

If the openssl components are not available on the server, your best bet would probably be to use a DB storage on site, and provide an interface such as ChronoConnectivity over https to view records online.

/Fredrik

Thank you Fredrik
I give it a try...

...just to let you know:
I finally gave up trying to make this work - I have just not enough background-knowledge about the subject.
So finally I installed ChronoConnectivity and adjusted the result-page the way it fits my customers needs, so he can get the Informations there instead of receiving them directly in an email.
I hope he accepts this... otherwise I need to find someone who solves this "problem" for me...

By the Way: ChronoForms and ChronoConnectivity work fantastic together - thank you for your great extensions!

Greetings from Switzerland
Simone