Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

why is authentication: 'plain' the default setting for actionmailer in rails (with gmail smtp)?

I am reading up on actionmailer for rails. My question is about the default settings as described here:

config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
  :address              => "smtp.gmail.com",
  :port                 => 587,
  :domain               => 'baci.lindsaar.net',
  :user_name            => '<username>',
  :password             => '<password>',
  :authentication       => 'plain',
  :enable_starttls_auto => true  }

now reading from the API here it says that:

":authentication - If your mail server requires authentication, you need to specify the authentication type here. This is a symbol and one of :plain (will send the password in the clear)"

so my question is, does this send the password as plaintext? I find it hard to believe that it does but I can't see in the documentation where it says it encrypts it, is it something to do with the line: :enable_starttls_auto => true ? let me know where my mistake is, also how does the enablestarttls guarantee a secure connection (if this is where the encryption comes in)?

as always links to documentation/references are appreciated and encouraged :)

thanks in advance.

like image 592
Mike H-R Avatar asked Jun 24 '13 15:06

Mike H-R


People also ask

How do I use SMTP in Ruby on Rails?

Go to the config folder of your emails project and open environment. rb file and add the following line at the bottom of this file. It tells ActionMailer that you want to use the SMTP server. You can also set it to be :sendmail if you are using a Unix-based operating system such as Mac OS X or Linux.

What is ActionMailer?

1 Introduction. Action Mailer allows you to send emails from your application using a mailer model and views. So, in Rails, emails are used by creating mailers that inherit from ActionMailer::Base and live in app/mailers. Those mailers have associated views that appear alongside controller views in app/views.

What is Enable_starttls_auto?

Setting "enable_starttls_auto" to true would check if the server supports starttls and use it if it does. However, secure transport is not guaranteed in case of an arbitrary smtp server: your credentials will be sent practically plaintext, should the server not support starttls.


1 Answers

Derek Hill wrote a nice response to this question here: What is the "plain" authentication_type in mailer?

But I found this question more easily on google, so reposting.

"According to this article 'although the keyword PLAIN is used, the username and password are not sent as plain text over the Internet - they are always BASE64 encoded'

However 'One drawback using the PLAIN authentication mechanism is that the username and password can be decoded quite easy if somebody monitors the SMTP communication. To obtain higher security an authentication mechanism with the name CRAM-MD5 can be used instead.'"

like image 161
tbenst Avatar answered Oct 14 '22 23:10

tbenst