1

I use the following code...

      $mail = new PHPMailer();  
      $mail->IsSMTP(); // send via SMTP
      $mail->SMTPAuth = true; // turn on SMTP authentication
      $mail->Username = $USR_EMAIL; // SMTP username
      $mail->Password = $MAIL_PWD; // SMTP password

I would like to ask some simple questions.. Is there a way to pass to phpMailer a password saved in md5 format in the database? Is there any other type of hashing that phpMailer supports? Is there a sending email php script that supports hashed passwords? I am terrified in the idea that i will have an email password stored anywhere without some kind of encryption..

user926652
  • 145
  • 2
  • 13

2 Answers2

6

You have to send plain password to SMTP. Hash functions are one-way, they just "obfuscates" the input, so SMTP can not authenticate you with it.

You could encrypt the password, probably AES, and you store the ciphertext, and the secret (maybe as env. variable), and pass the decoded pass to mailer.

Example:

<?php
$secret_key = 'supersecret key';
$password = 'somepass';

// encrypt
// calculate cipher, and store somewhere
$cipher = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $password, MCRYPT_MODE_ECB);

// use the cipher
$mail->Username = $USR_EMAIL; // SMTP username
$mail->Password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $cipher, MCRYPT_MODE_ECB); // SMTP password
?>
winya
  • 151
  • 3
  • 1
    But again my password would be exposed in the php document, if i got it right? – user926652 Jun 20 '12 at 12:13
  • 1
    Calculate the cipher first (possibly with a cli snippet), and store the cipher in PHP code as string, and set the secret as server env. variable, which could be retrieved by `getenv('MY_SECRET');` see: http://php.net/manual/en/function.getenv.php – winya Jun 21 '12 at 11:49
  • @winya, Well I know this is old post, but if you read this can you correct me please if I am wrong. If I am trying to hide this password from other people who has access to this files(eg. designers etc) even if I store the string in the env. variable or in the file outside of the public_html direcotry(bellow where others don't have ftp access), they still can simply get output of that variable $password just by echoing it. Am I right? Thanks – Alex Reds Sep 22 '14 at 23:55
  • @user926652, did you solve this? I am also a bit worrying about storing passwords in open formats. Not sure why no one bothers about it – Alex Reds Sep 23 '14 at 00:14
3

Unfortunately it isn't a question of support in phpMailer, but of your SMTP setup. In most cases your SMTP server won't know what to do with a password hash -- it needs the unhashed password so that it can check against its own password tables, which are unlikely to be stored in unsalted MD5 anyway.

You can (if your SMTP server supports it) send the password through a secure connection (see PHPMailer: SMTP Error: Could not connect to SMTP host for a discussion about this). However, you'll still need to keep the password stored without encryption. One alternative to this, depending on your hosting package, is to set up SMTP such that it does not authenticate you by username and password -- for example, by using a properly configured local sendmail instance.

Community
  • 1
  • 1
Soz
  • 957
  • 1
  • 5
  • 9