Moodle in English: SMTP Email password viewing

SMTP Email password viewing

by Chris Swinney - Friday, July 12, 2019, 4:02 AM

Hi,

We are using a Moodle Partner to provide a customised Moodle platform. The first issue that we have is that the SMTP outgoing email server password is completely visible to all administrators. All they need to do is click the eye icon. The SMTP server we use provides email relay for many of our corporate activities, and we don't really want to share these passwords with anyone. Please tell me there is a better way here?

Surely this should be encrypted at rest, and not simply accessible to anyone who passes through. Even administrators should not be able to simply uncover this at will. If they can, and this "feature" cannot be disabled, then this is very concerning.

Re: SMTP Email password viewing

by Visvanath Ratnaweera - Friday, July 12, 2019, 7:26 PM

Is running an SMTP server (Exim, Postfix, ...) on localhost an alternative? Then you don't need to enter any password on Moodle web interface. The password to the external relay goes to the SMTP server config file.

Average of ratings: -

Re: SMTP Email password viewing

by Chris Swinney - Friday, July 12, 2019, 8:10 PM

Hi Visvanath,

Indeed, unfortunately this is out of our hands and is the decision of the Moodle partner. The lack of security here worries me though for other things elsewhere. This should be a fundamental design consideration.

Average of ratings: -

Re: SMTP Email password viewing

by Visvanath Ratnaweera - Friday, July 12, 2019, 9:22 PM

Well, that is the price of outsourcing! ;-*

SMTPAuth might have a public key type of authentication, I don't know. Even then you have to drop the private key somewhere in the server.

What about giving up the external mail relay and adding the Moodle server to the SPF of the domain Moodle is sending mails on behalf of?

Average of ratings: -

Security and privacy

SMTP Email password viewing