SMTP server identify must be enforced
ID: java-security/smtp-insecure-connection
Language: Java
Severity: Warning
Category: Security
CWE: 297
Description
When a program establish an SMTP connection, server identity should be checked.
Learn More
Non-Compliant Code Examples
class NotCompliant {
public void myMethod() {
Email email = new SimpleEmail();
email.setHostName("smtp.servermail.com");
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
// email.setSSLOnConnect(true);
email.setFrom("user@gmail.com");
email.setSubject("TestMail");
email.setMsg("This is a test mail ... :-)");
email.addTo("foo@bar.com");
email.send();
}
}
Compliant Code Examples
class Compliant {
public void myMethod() {
Email email = new SimpleEmail();
email.setHostName("smtp.servermail.com");
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
email.setSSLOnConnect(true);
email.setFrom("user@gmail.com");
email.setSubject("TestMail");
email.setMsg("This is a test mail ... :-)");
email.addTo("foo@bar.com");
email.setSSLCheckServerIdentity(true);
email.send();
}
}