Skip to content

Misconfigured SMTP SSL

What does this mean ?

A misconfigured SMTP SSL vulnerability is a security flaw that occurs when an email server's Simple Mail Transfer Protocol (SMTP) has not been properly configured to use Secure Sockets Layer (SSL) encryption.

What can happen ?

This can allow attackers to intercept and read sensitive information, such as passwords and other confidential data, that is sent via email.

Recommendation

Properly configure SMTP SSL in order to prevent this type of vulnerability and protect your email communications.

Sample Code

Vulnerable :

SmtpClient smtpClient = new SmtpClient("smtp.example.com");
smtpClient.UseDefaultCredentials = false;
smtpClient.Credentials = new NetworkCredential("username", "password");
smtpClient.EnableSsl = true;

MailMessage mailMessage = new MailMessage();
mailMessage.From = new MailAddress("sender@example.com");
mailMessage.To.Add("recipient@example.com");
mailMessage.Subject = "Test Email";
mailMessage.Body = "This is a test email sent through SMTP with SSL.";

smtpClient.Send(mailMessage);

Non Vulnerable :

SmtpClient smtpClient = new SmtpClient("smtp.example.com");
smtpClient.UseDefaultCredentials = false;
smtpClient.Credentials = new NetworkCredential("username", "password");
smtpClient.EnableSsl = true;

ServicePointManager.ServerCertificateValidationCallback = delegate (object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {
    return true;
};

MailMessage mailMessage = new MailMessage();
mailMessage.From = new MailAddress("sender@example.com");
mailMessage.To.Add("recipient@example.com");
mailMessage.Subject = "Test Email";
mailMessage.Body = "This is a test email sent through SMTP with SSL.";

smtpClient.Send(mailMessage);

Vulnerable :

Email email = new SimpleEmail();
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
email.setSSLOnConnect(true); // Noncompliant; setSSLCheckServerIdentity(true) should also be called before sending the email
email.send();

Properties props = new Properties();
props.put("mail.smtp.host", "smtp.gmail.com");
props.put("mail.smtp.socketFactory.port", "465");
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory"); // Noncompliant; Session is created without having "mail.smtp.ssl.checkserveridentity" set to true
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.port", "465");
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() {
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication("username@gmail.com", "password");
    }
});

Non Vulnerable :

Email email = new SimpleEmail();
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true); // Compliant
email.send();

Properties props = new Properties();
props.put("mail.smtp.host", "smtp.gmail.com");
props.put("mail.smtp.socketFactory.port", "465");
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.smtp.auth", "true");
props.put("mail.smtp.port", "465");
props.put("mail.smtp.ssl.checkserveridentity", true); // Compliant
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() {
    protected PasswordAuthentication getPasswordAuthentication() {
        return new PasswordAuthentication("username@gmail.com", "password");
    }
});

Vulnerable :

$mail = new PHPMailer;
$mail->isSMTP();
$mail->Host = 'smtp.example.com';
$mail->SMTPAuth = true;
$mail->Username = 'username';
$mail->Password = 'password';
$mail->SMTPSecure = 'ssl';
$mail->Port = 465;

$mail->setFrom('sender@example.com', 'Sender Name');
$mail->addAddress('recipient@example.com', 'Recipient Name');
$mail->Subject = 'Test Email';
$mail->Body = 'This is a test email sent through SMTP with SSL.';

$mail->send();

Non Vulnerable :

$mail = new PHPMailer;
$mail->isSMTP();
$mail->Host = 'smtp.example.com';
$mail->SMTPAuth = true;
$mail->Username = 'username';
$mail->Password = 'password';
$mail->SMTPSecure = 'ssl';
$mail->Port = 465;
$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => true,
        'verify_peer_name' => true,
    )
);

$mail->setFrom('sender@example.com', 'Sender Name');
$mail->addAddress('recipient@example.com', 'Recipient Name');
$mail->Subject = 'Test Email';
$mail->Body = 'This is a test email sent through SMTP with SSL.';

$mail->send();

Vulnerable :

const nodemailer = require('nodemailer');

const transporter = nodemailer.createTransport({
    host: 'smtp.example.com',
    port: 465,
    secure: true,
    auth: {
        user: 'username',
        pass: 'password'
    }
});

Non Vulnerable :

const nodemailer = require('nodemailer');

const transporter = nodemailer.createTransport({
    host: 'smtp.example.com',
    port: 465,
    secure: true,
    auth: {
        user: 'username',
        pass: 'password'
    },
    tls: {
        rejectUnauthorized: true
    }
});

Vulnerable :

// Connect to the remote SMTP server
c, err := smtp.Dial("smtp.example.com:25")
if err != nil {
    log.Fatal(err)
}
defer c.Close()

// Set up insecure TLS connection
tlsConfig := &tls.Config{
    InsecureSkipVerify: true, // Vulnerable
}

Non Vulnerable :

// Connect to the remote SMTP server
c, err := smtp.Dial("smtp.example.com:25")
if err != nil {
    log.Fatal(err)
}
defer c.Close()

// Set up secure TLS connection
tlsConfig := &tls.Config{
    ServerName: "smtp.example.com", // Non Vulnerable
}

Vulnerable :

require 'net/smtp'

Net::SMTP.start('smtp.example.com', 25, 'localhost',
                'user@example.com', 'password', :plain) do |smtp|
    smtp.enable_starttls_auto # THIS LINE IS VULNERABLE
    smtp.send_message message, 'sender@example.com', 'receiver@example.net'
end

Non Vulnerable :

require 'net/smtp'

tls_options = {
    ca_file: '/path/to/ca_cert.pem',
    verify_mode: OpenSSL::SSL::VERIFY_PEER
}

Net::SMTP.start('smtp.example.com', 25, 'localhost',
                'user@example.com', 'password', :plain, tls_options) do |smtp|
    smtp.send_message message, 'sender@example.com', 'receiver@example.net'
end

References