How secure is the password when sending an email?


#1

Hi.

Im just setting up a project where i am sending emails. Its working well and now im wondering how the password is transmitted because when you set it up you put your password like:

process.env.MAIL_URL = ‘smtp://test@mail.com:password@smtp.mail.com:587’;

So if anyone is connected to my LAN or something can he somehow see or sniff my password?


#2

I might be wrong but does it not depend on the endpoint?

If the smtp server operates on ssl/tls then you should not have much to worry about.

That being said, meteor uses an old version of simplesmtp from npm and is configured to use a secure connection if the mail server port is 465.

I’m not exactly sure, but if the server reports supporting starttls, the password is probably sent securely anyway.


#3

Hi, first of all, anyone who has access to your system and may read your config or startup file will be able to read the clear-text password. Without some magic process of salting this is normal by design.

When the process comes to the point of “sending” E-Mail it depends on the service how username and password is exchanged between client and server.

There are some major transports like PLAIN and TLS. While on plain mode the Username:Password is send (and so sniffeable) without encryption, modes like TLS while not send plain data. Which “protocol” should be used will be handshaked by client and server before transmission based on their software support level.

So it is more a question how will you relay your E-Mails. If running meteor on a local server, you could setup a mail-relay with local exim or postfix server, just reachable on localhost without any password. If you wish to use a service like Mailchimp etc. I guess the identification procedure will be encrypted.

Good question, for a 100% analysis I have to check the used smtp library from the meteor package.


Meteor Email process.env.MAIL_URL error
#4

Well checked, now should be clear.

Source for sending mail is located at: package email

At Line 32 you see requirement of npm module simplesmtp. If looking at that, the library even when marked as deprecated is able to use encrypted and TLS connections.

If setting port 465 in MAIL_URL you can explicit enable secureConnection. How the URL has be be correctly defined could be check by page of npm module url.

So by now I would say, if your server supports TLS or secured connection, sending mail with a correct MAIL_URL definition is safe.