--VERY POOR EXECUTION DNN---
So I can appreciate that DNN has made it very clear they are tailoring their Evoq Content Platform to service their biggest government clients and taking more notice to the security measures needed to protect content and users passwords within the system. What frustrates me and I'm sure hundreds of other developers in the ecosystem is the way they have allowed new feature request demands to trump their dedication to backwards compatibility and upgrading. I feel compelled to write this post (my first one by the way) because I'm sure there are others out there this has happened to and they might not even know it yet.
I'm not entirely sure when they made the change to begin to store the SMTP password in the host settings, but it wasn't until the 7.02 upgrade that it literally brought my site to it's knees. All this time, my SMTP password that is stored in the HostSettings table had been stored in clear text. I know this because I've had to go change it plenty of times when I would change the settings on my mail server as I'm sure many of you have as well. If the settings were wrong or the password was wrong, I would get error messages in the log but the module attempting to send mail using the DNN settings would just continue as if the SendMail code was implemented in a TryCatch and the Catch did not Throw an exception that would halt the following steps.
In steps the 7.02 upgrade. All of a sudden, I could not access my Host Settings which seemed weird, but upon investigation, it appears any function of my site that included some sort of email being sent...would halt the code and Throw an exception page with the error. Hmmm...what could it be?
As it turns out, if the value stored in the SMTP password field in your HostSettings table was not encoded using a Base64 conversion the core code halted anytime this setting was accessed...INCLUDING THE PAGE USED TO MAKE THE HOST SETTING CHANGE! Meaning, I could not load the HostSettings page because the core function to read the value in the DB had non-Base64 characters in it and instead of handling this error with some exception code block, they just assumed this field would never have any other values other than the proper encoding. That meant that ANY code on my site that involved any sort of email function...registration, password reset, Schedule alerts, and any other calls to the Email functionality, the code would flat out halt. Now consider this. There are a bunch of instances where the email call is not wrapped in any sort of SQL transaction so when the code fails, it leaves the session or in this case, the users action in a state that in many cases is unrecoverable. I have been left with many abandoned registrations and subsequent sales because the users registration failed and then could not go back and register again because the username (email) had already been used but never updated the profile so they could never login.
There are about 4 other scenarios where this one simple oversight and lack of upgradability / backwards compatibility has left me spending hours trying to rectify the data issues on my site. That was, after the 6 hours I spent trying to figure out what was actually going on.
So whats the take-away here? I am hoping this post might resonate with the DNN team urging them not to pressure their development team into releasing new features if it is going to lesson the quality of the code. Being a developer, I understand how Rapid Development directly affects the ability to write good code that will address fringe case scenarios, but come on. Requiring the password not to be stored in clear text is obviously a good thing but not allowing the code to continue if it is not is as unacceptable as taking the liberty to change my HTML input controls into Base64 images and setting the original controls to invisible. You gotta love those new DNN checkboxes right?
So, if anyone else is having this problem, the only fix is to go to your HostSettings table and remove the password value all together and set the SMTPEnableSSL=N. This will let you back into Host Settings where you can then reset your SMTP settings.
SMTPEnableSSL
SMTPEnableSSL