From afd399b84f83cb08013476ee2adb3e846c854655 Mon Sep 17 00:00:00 2001
From: Lucien Cartier-Tilet <lucien@phundrak.com>
Date: Mon, 1 Jun 2026 23:18:45 +0200
Subject: [PATCH] feat(SMTP): disallow unencrypted SMTP with credentials

---
 src/startup.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/startup.rs b/src/startup.rs
index 5545aa5..c0cee45 100644
--- a/src/startup.rs
+++ b/src/startup.rs
@@ -10,6 +10,7 @@ use poem::middleware::{AddDataEndpoint, Cors, CorsEndpoint};
 use poem::{EndpointExt, Route};
 use poem_openapi::OpenApiService;
 
+use crate::settings::Starttls;
 use crate::{
     middleware::rate_limit::{RateLimit, RateLimitConfig},
     route::Api,
@@ -93,6 +94,7 @@ impl From<Application> for RunnableApplication {
 
 impl Application {
     fn setup_app(settings: &Settings) -> poem::Route {
+        Self::prevent_unencrypted_smtp_with_credentials(settings);
         let api_service = OpenApiService::new(
             Api::from(settings).apis(),
             settings.application.clone().name,
@@ -109,6 +111,17 @@ impl Application {
         route
     }
 
+    fn prevent_unencrypted_smtp_with_credentials(settings: &Settings) {
+        if !settings.email.tls
+            && settings.email.starttls == Starttls::Never
+            && !settings.email.user.is_empty()
+            && settings.email.host != "localhost"
+            && settings.email.host != "127.0.0.1"
+        {
+            panic!("Refusing to send SMTP credentials over cleartext to non-local host");
+        }
+    }
+
     fn setup_server(
         settings: &Settings,
         tcp_listener: Option<poem::listener::TcpListener<String>>,