Reputation: 3675
does sending email via SMTP with TLS connection encrypt the username and password?
I've written an appilicaiton with Java which sends Email. For sending Email I've used SMTP with TLS.
Recently I've searched about TLS and I found the flowing description about TLS on this website : Transport Layer Security (TLS), a protocol that encrypts and delivers mail securely, helps prevent eavesdropping and spoofing (message forgery) between mail servers.
The above phrase says that TLS guarantees that the mail will be delivered securely, but it does not say any thing about the password...
suppose that I am using following code in my application, so as you can see you need to have hard code for username and password, without any encryption.
final String username = "[email protected]";
final String password = "your Password";
Properties props = new Properties();
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.starttls.enable", "true");
props.put("mail.smtp.host", "smtp-mail.outlook.com");
props.put("mail.smtp.port", "587");
Session session = Session.getInstance(props,
new javax.mail.Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(username, password);
}
});
by using this strategy does TLS encrypt my password while sending from my server to another server or not? should I be worried about it or not?
Upvotes: 3
Views: 6396
Answers (1)
Reputation: 121780
Password transmission and communication encryption are two separate matters.
TLS is initiated over what is at first an unencrypted channel by issuing the STARTTLS command; if the server supports it, then the exchange is done and after it is done, the channel is encrypted.
And only then the SMTP negotiation starts; and one part of this negociation is authentication if any. And even if you use the plain authentication mechanism (user and password sent over the wire as is), since the channel is encrypted at that time, eavesdroppers won't see it in clear.
Of course, for more security, you may choose to use another authentication mechanism than the plain one (CRAM-MD5 for instance; others exist).
EDIT OK, the answer above is only partially accurate; more details can be found in this excellent answer on ServerFault by @Bruno
Upvotes: 4
Related Questions
- Can't send mail via SSL or TLS using SMTP using Javamail
- Does inter mail server connection use mutual TLS (mTLS)?
- Using JavaMail with TLS
- sending email with ssl using javax.mail
- Java mail TLS authentcation
- SMTP certificate
- Do we need authentication credentials for TLS while sending mail
- javaMail API force SSL encryption for SMTP authentication
- Java Mail over TLS
- How do I send email over SMTP with SSL using Java client?