JavaMail SMTP configurations should have secure SSL configurations.
Java's SMTP API, JavaMail is widely used to send emails. Similarly to normal HTTP communication, it is possible to use SSL or TLS based encryption to ensure security. However, unless host-specific certificate authenticity is specifically checked for, it will be possible for a man-in-the-middle attack to occur.
It is recommended to explicitly enable SSL/TLS certificate checking to ensure connections are properly secured.
In this example, SMTP authentication is enabled for a JavaMail session, but certificate checking is not.
Properties properties = PropertiesUtil.getSystemProperties();
properties.put("mail.transport.protocol", "protocol");
properties.put("mail.smtp.host", "hostname");
properties.put("mail.smtp.socketFactory.class", "classname");
properties.put("mail.smtp.auth", "true");
Authenticator authenticator = ...; // Create an authenticator implementation.
Session session = Session.getInstance(properties, authenticator);
Set the "mail.smtp.ssl.checkserveridentity"
property to "true"
to ensure that certificates are properly verified.
properties.put("mail.smtp.ssl.checkserveridentity", "true");