While not exactly as soon as everyone hoped, dasBlog 2.0 is set to be released next Tuesday.  The biggest change is that dasBlog is now compiled under .NET 2.0 and ALMOST fully supports medium trust. The goal of medium trust is for hosting providers to provide functional ASP.NET 2.0 hosting while also protecting against rogue or malicious applications.  Unfortunately that protection comes at the cost of application flexibility. We tried our best but in the battle between security and functionally there are a few features that are limited in a medium trust environment:

  1. SMTP on alternative ports
    • This requires SmtpAccess.ConnectToUnrestrictedPort on the System.Net.Mail.SmtpPermission.  In a default medium trust environment you only get SmtpAccess.Connect, which allows for port 25 access but that's it.  I would assume that this is to prevent spamming and maybe to prevent using the SMTPClient class to launch socket based attacks.
  2. Mail to Weblog via POP3
    • This requires SocketPermission to at least the port and address of your pop3 server.  With the default medium trust settings you do not have any Socket Permissions.  This prevents applications from launching network based attack.  This is especially important if the web server is located behind a firewall because then an asp.net application could access network resources intended to be protected by the firewall.

dasBlog will let you know that you don't have these privileges by displaying warnings on the configuration page:



There is some good news though, these limitations won't affect most users.  Many hosting providers that run limited trust environments don't run in the default medium trust, but rather a "modified full trust".  In that case you may already have all the permissions you need for all of the features to work.  

If your hosting provider does run the standard medium trust configuration or their custom trust level doesn't provide the necessary permissions there is still hope. Normally hosting providers allow access to a mail server that runs on port 25.  In most cases it doesn't even matter if the from address dasBlog is using is hosted on that server, as long as you are authenticating with a valid SMTP user.  The POP3 issues is a bit more difficult.  There are legitimate reasons for a provider to limit socket access, but if you ask nicely they might make an exception for the specific POP3 host you are using.  

There is only last consideration that needs to be accounted for in a reduced trust environment.  You can read more details here, but the basic idea is that in the default medium trust environment you can only do outbound web connections that match your originURL.  OriginURL is specified as a regular expression in your web.config file.  Setting it to ".*" will let dasBlog connect to any host.

For more information about dasBlog check out http://www.dasblog.info, and if you are have any questions about medium trust or anything else feel free to post on the dasBlog forms at http://www.dasblog.us


Posted at 8/12/2007 12:11 AM
Comments [5] - Permalink
Sunday, 10 February 2008 14:34:44 (Eastern Standard Time, UTC-05:00)
Nice writeup Tony.
I'm stuck with second issue. I'm hosting at discountasp.net and getting SecurityException(SocketPermission) when using [Mail to Weblog] feature.

I'll speak to them to see If they can enable POP3 access.
Saturday, 23 February 2008 20:53:56 (Eastern Standard Time, UTC-05:00)
Hi, I couldn't find any comment forms on the DasBlog pages and don't have a forum ID there yet. I am just testing the software. I just wanted to see if I could easily install it without any help, but got stumped at the download.

From the distribution page I can't tell which is the .net 2.0 and the 1.1 versions. The .net 2.0 release notification lacks a date and time stamp.

On one page there seem to be three sets of file distribution with mentions of 1.9 and 2.0 I can't really tell the diference between these distributions.
Friday, 29 February 2008 00:35:36 (Eastern Standard Time, UTC-05:00)
Thanks for the informaiton on dasBlog, keep up the good work :)
Friday, 29 February 2008 00:59:04 (Eastern Standard Time, UTC-05:00)

You can grab the latest release version here:
dasBlog 2.0
Friday, 19 December 2008 09:40:37 (Eastern Standard Time, UTC-05:00)
Please login with either your OpenID above, or your details below.
Home page

Comment (Some html is allowed: a@href@title, i) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

Enter the code shown (prevents robots):

Live Comment Preview