I'm looking at this example. http://golang.org/pkg/net/smtp/#example_PlainAuth
我正在看这个例子。 http://golang.org/pkg/net/smtp/#example_PlainAuth
package main
import (
"log"
"net/smtp"
)
func main() {
// Set up authentication information.
auth := smtp.PlainAuth("", "user@example.com", "password", "mail.example.com")
to := []string{"recipient@example.net"}
mesg := []byte("This is the email body.")
err := smtp.SendMail("mail.example.com:25", auth, "sender@example.org", to, mesg)
if err != nil {
log.Fatal(err)
}
}
Does smtp.PlainAuth send credentials to the mail server in plain text? Is it safe to use net/smtp in the wild?
smtp.PlainAuth是否以纯文本格式向邮件服务器发送凭据?在野外使用net / smtp是否安全?
1 个解决方案
#1
PlainAuth uses the Plain auth mech from RFC 4616, which is the username/password in plain cleartext. Normally when you are using this, encryption will be handled at a lower level, for example you will create a TLS connection. and then use PlainAuth over that. If you are not talking over an encrypted connection, then use of PlainAuth can be risky as if the traffic is intercepted, the user/pass are easy to get.
PlainAuth使用RFC 4616中的Plain auth mech,它是普通明文中的用户名/密码。通常在使用此时,将在较低级别处理加密,例如,您将创建TLS连接。然后使用PlainAuth。如果您没有通过加密连接进行交谈,那么使用PlainAuth可能会有风险,就像截获流量一样,用户/通行证也很容易获得。
but if you read, you will see the SendMail function says the following:
但如果您阅读,您将看到SendMail函数说明如下:
SendMail connects to the server at addr, switches to TLS if possible, authenticates with the optional mechanism a if possible, and then sends an email from address from, to addresses to, with message msg.
SendMail在addr处连接到服务器,如果可能,切换到TLS,如果可能,使用可选机制a进行身份验证,然后使用消息msg从地址向地址发送电子邮件。
So it will try to automatically upgrade to TLS where possible for you. So as long as you are using servers that support TLS, you should be relatively safe. The other Auth choice is CramMD5, but server support for this method is generally less common than PlainAuth which most everything supports.
所以它会尝试在可能的情况下自动升级到TLS。因此,只要您使用支持TLS的服务器,您就应该相对安全。另一个Auth选择是CramMD5,但是对于这种方法的服务器支持通常不如PlainAuth那么普遍,大多数都支持。
#1
PlainAuth uses the Plain auth mech from RFC 4616, which is the username/password in plain cleartext. Normally when you are using this, encryption will be handled at a lower level, for example you will create a TLS connection. and then use PlainAuth over that. If you are not talking over an encrypted connection, then use of PlainAuth can be risky as if the traffic is intercepted, the user/pass are easy to get.
PlainAuth使用RFC 4616中的Plain auth mech,它是普通明文中的用户名/密码。通常在使用此时,将在较低级别处理加密,例如,您将创建TLS连接。然后使用PlainAuth。如果您没有通过加密连接进行交谈,那么使用PlainAuth可能会有风险,就像截获流量一样,用户/通行证也很容易获得。
but if you read, you will see the SendMail function says the following:
但如果您阅读,您将看到SendMail函数说明如下:
SendMail connects to the server at addr, switches to TLS if possible, authenticates with the optional mechanism a if possible, and then sends an email from address from, to addresses to, with message msg.
SendMail在addr处连接到服务器,如果可能,切换到TLS,如果可能,使用可选机制a进行身份验证,然后使用消息msg从地址向地址发送电子邮件。
So it will try to automatically upgrade to TLS where possible for you. So as long as you are using servers that support TLS, you should be relatively safe. The other Auth choice is CramMD5, but server support for this method is generally less common than PlainAuth which most everything supports.
所以它会尝试在可能的情况下自动升级到TLS。因此,只要您使用支持TLS的服务器,您就应该相对安全。另一个Auth选择是CramMD5,但是对于这种方法的服务器支持通常不如PlainAuth那么普遍,大多数都支持。