Clever Geek Handbook

Does sending email over SMTP with a TLS connection really encrypt the username and password?

I wrote an appilicaiton with Java that sends email. For sending email, I used SMTP

with TLS

.

I recently searched for information on TLS and I found the current description of TLS on this website :Transport Layer Security (TLS), a protocol that encrypts and delivers mail securely, helps prevent eavesdropping and spoofing (message forgery) between mail servers.

The phrase above says that TLS guarantees mail will be delivered securely, but it doesn't say anything about the password ...

Suppose I am using the following code in my application, as you can see that you need a hardcoded username and password without encryption.

    final String username = "...@hotmail.com";
    final String password = "your Password";

    Properties props = new Properties();
    props.put("mail.smtp.auth", "true");
    props.put("mail.smtp.starttls.enable", "true");
    props.put("mail.smtp.host", "smtp-mail.outlook.com");
    props.put("mail.smtp.port", "587");

    Session session = Session.getInstance(props,
            new javax.mail.Authenticator() {
                protected PasswordAuthentication getPasswordAuthentication() {
                    return new PasswordAuthentication(username, password);
                }
            });

using this strategy, does TLS encrypt my password when sent from my server to another server or not? Should I be worried about this or not?

+3


source to share


1 answer


Encrypting passwords and messaging are two separate issues.

TLS is initiated over the first unencrypted channel by issuing the STARTTLS command; if the server supports it, then the exchange is performed, and after its completion, the channel is encrypted.

And only then does the SMTP negotiation begin; and one part of this denial is authentication, if any. And even if you use a simple authentication mechanism (user and password sent over the wire as is), since the channel is encrypted at this time, eavesdroppers will not see it explicitly.



Of course, for more security, you can use a different authentication mechanism than the simple one (eg CRAM-MD5, others exist).

EDIT OK, the answer above is only partially accurate; more details can be found in this excellent answer on ServerFault @Bruno

+4


source






More articles:


All Articles