I am writing some linux code which requires sending emails. My question is: when I do use STARTTLS (starttls on in msmtprc) is it secure to use plain authentication (auth plain)? Is the connection a) encrypted before sending the password? or b) the password is sent and then the encryption is established?
I assume the first solution (a) but I wand to be sure that no plain passwords are traveling through network.
Also (this is a side problem) I presume that even with STARTTLS is ON it is usually not mandatory and I heard that the man in the middle attacker can 'downgrade' the connection to disable use of TLS. Is it true? The question here is: should I do further testing to ensure that only encrypted connection could be established with SMTP server?
here is my msmtprc:
account default
host my-smtp-server.pl
tls on
tls_certcheck off
tls_starttls on
port 587
auth on
from my-email@mydomain.pl
auth plain
user username
password p@$$w0rd
