SMTP Assignment

ID

smtp_assignment

Severity

info

Vendor

-

Family

Generic secret

Description

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. It is a common protocol for communication with Mail Transfer Agents (MTAs).

This detector looks for SMTP identifiers for the MTA, in the form of a host, a port, or a username, assigned to configuration variables.

Security

Any hardcoded SMTP identification data allows running unintended actions in the email server or the email account.

Leaking the SMTP server hostname or IP address could only be a concern for private mail transfer agents. Leaking the port could be relevant if the port is not publicly exposed and the MTA does not have appropriate security controls.

Leaking the MTA username has typically more risk, but less so than leaking the password or other authentication credentials.

Examples

spring.mail.smtp.username: bob
spring.mail.smtp.host: smtp.domain.com
spring.mail.smtp.port: 587

Mitigation / Fix

  1. Replace hard-coded SMTP identifiers with a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets..

  2. Check SMTP access logs for suspicious activity in the target email system using the SMTP service account during the exposure window, like port scanning activity or attempts to use any leaked SMTP account.

Reference

https://tools.ietf.org/html/rfc5321