Use of Insecure SMTP Channel

Need

Ensure confidentiality and integrity of data during transmission

Context

Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
Usage of Swoosh library for email sending

Description

Non compliant code

def send_email(email) do
  {:ok, pid} = Swoosh.Adapters.SMTP.start_link(port: 25, tls: :none)
  email |> MyApp.Mailer.deliver(pid)
end

The code above is vulnerable because it sends an email using the Swoosh SMTP adapter without encryption (tls: :none). This means that all data sent in the email can be easily intercepted and read by any party that can listen on the network.

Steps

Enable SSL/TLS in the SMTP settings.
Ensure the use of valid and trusted certificates.
Perform periodic reviews and updates of security configurations.

Compliant code

def send_email(email) do
  {:ok, pid} = Swoosh.Adapters.SMTP.start_link(port: 465, tls: :always, ssl_opts: [{:versions, [:'tlsv1.2']}])
  email |> MyApp.Mailer.deliver(pid)
end

The secure code uses the SMTPS protocol which operates on port 465 and uses SSL/TLS to encrypt the communication channel. The 'ssl_opts' option is set to use TLS version 1.2 which is currently considered secure.

References

149.Use of an insecure channel - SMTP

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​