SMTP `from_email` default could potentially leak password in Postmark

pentacent / keila

Open Source Newsletter Tool.

https://keila.io

GNU Affero General Public License v3.0

1.38k stars 70 forks source link

SMTP `from_email` default could potentially leak password in Postmark #183

Open aej opened 1 year ago

aej commented 1 year ago

Postmark tells users to use the same value for the username and password when configuring SMTP (https://postmarkapp.com/smtp-service)

Given that the fallback value for from_email (set via env var MAILER_SMTP_FROM_EMAIL) is the MAILER_SMTP_USER, if the user does not set the MAILER_SMTP_FROM_EMAIL environment variable then the from_email will actually be set to the server api-token.

wmnnd commented 1 year ago

Thanks for reporting this! It would probably be best to err on the side of caution and get rid of the fallback in favor of more explicit configuration.