Skip to Content
avatar image
Former Member

Fixing the Sender SMTP issue


I'm dealing with a security issue in BO XI 3.0 (I think it's the same with previous version) .When you send a document via email and if you uncheck the default settings, you can enter any email address into the "From" Field. Even your CEO's address. The only condition is that this address exists in the SMTP directory.

After looking on the forum, it's seems that it can't be fixed with any CMC settings. So I'm trying to secure it via the SDK. Does anyone has already done this before?

I have 2 ideas, could you tell me which one seems the better for you ?

  • When the "send email" form is populated, the idea is to retrieve the email of the connected user and fill the "From" field with it.

  • During the form validation, there is a javascript function called checkSMTP ( ). This function checks that the "from" field is filled. Maybe could I check that the email address filled in the field is the same than the email address of the user connected?

What do you think of those solution? Feasibility? Risk ? Security?

Any help will be nice.


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 16, 2008 at 05:17 PM

    Before going the SDK way, have you tried setting the SMTPFrom context-param in the InfoViewApp WEB-INF/web.xml file?


    Ted Ueda

    Add comment
    10|10000 characters needed characters exceeded

    • I would suggest, if you have support, to open a SAP Incident and get clarification on why the behavior is inconsistent.

      One of the dangers in modifying InfoView is that it's just not designed to be modified, and modifications will likely break with a new service pack (i.e., not something you'd want to move forward with).


      Ted Ueda