Encrypted password for SMTP

[nickkita]

Hi there! How can i store a encrypted password for SMTP?

After setting up "Email plugin" in admin panel, i get "email.yaml" @ server, in ../user/config/plugins It looks like this:

enabled: true
from: info@site.com
to: info@site.com
mailer:
  engine: smtp
  smtp:
    server: smtp.example.com
    port: 465
    encryption: ssl
    user: nick1
    password: '12345'
  sendmail:
    bin: /usr/sbin/sendmail
content_type: text/html
debug: false

Where the password is stored unencrypted. And any user having access to the server can see the public mail password.

[rhukster]

This is pretty standard. We need to be able to send the unencrypted password to the SMTP server to authenticate, so we can't 1-way encrypt the password. 2-way encryption is really not a secure solution, because we would have to encyrpt and unencrypt with some key. This key would have to be stored on the server in some other file, so someone with access to the server could just get this key and unencrypt it.

I think you will find all CMSes (Joomla/Wordpress/etc) just store these SMTP passwords plaintext too.

The better solution is to create a specific SMTP account that is only for SMTP access. Then the worst that could happen is someone gets the PW and is able to send email, but you could revoke access to this user, or change pw. The bigger problem you have is that someone had access to your filesystem, which means they could of done anything.

[nickkita]

Thanks for the detailed answer! And sorry for the repeated issue. I did not notice it in closed isuues.

With best regards, Nick.