DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

SMTP configurations should check SSL certificates for authenticity JAVA-S1033

Security
Critical
 a07 cwe-295 cwe-287 cwe-297 sans top 25 owasp top 10

JavaMail SMTP configurations should have secure SSL configurations.

Java's SMTP API, JavaMail is widely used to send emails. Similarly to normal HTTP communication, it is possible to use SSL or TLS based encryption to ensure security. However, unless host-specific certificate authenticity is specifically checked for, it will be possible for a man-in-the-middle attack to occur.

It is recommended to explicitly enable SSL/TLS certificate checking to ensure connections are properly secured.

Bad Practice

In this example, SMTP authentication is enabled for a JavaMail session, but certificate checking is not.

Properties properties = PropertiesUtil.getSystemProperties();
properties.put("mail.transport.protocol", "protocol");
properties.put("mail.smtp.host", "hostname");
properties.put("mail.smtp.socketFactory.class", "classname");
properties.put("mail.smtp.auth", "true");

Authenticator authenticator = ...; // Create an authenticator implementation.
Session session = Session.getInstance(properties, authenticator);

Recommended

Set the "mail.smtp.ssl.checkserveridentity" property to "true" to ensure that certificates are properly verified.

properties.put("mail.smtp.ssl.checkserveridentity", "true");

References

  • CWE-297 - Improper Validation of Certificate with Host Mismatch
  • CWE-295 - Improper Certificate Validation
  • CWE-287 - Improper Authentication
  • OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures