Rails 邮件程序/smtp - 潜在的安全问题? [英] Rails mailer / smtp - potential security issue?

问题描述

在 Rails 中使用 SMTP 设置发送电子邮件时，您需要提供用户名和密码才能从您的帐户发送电子邮件.但是，在代码中以纯文本形式将密码输入站点的电子邮件帐户是不是有点危险?有没有更安全的方法来做到这一点?

When using SMTP settings in Rails for sending e-mail, you need to provide a username and password for it to send email from your account. But isn't it a little dangerous to put your password to the site's email account in plain text in your code? Is there a more secure way to do this?

config.action_mailer.smtp_settings = {
        :address => "address_here",
        :port => 'port_#_here',
        :domain => "example.com",
        :authentication => :plain,
        :user_name => "user@example.com",
        :password => "foobar",
        :enable_starttls_auto => true
  }

推荐答案

这对于开发环境来说可能不是什么大问题，因为您可能正在使用不需要身份验证或某种虚拟帐户的服务器.

This is probably not much of an issue for the development environment, as you might be using a server that doesn't require authentication or a dummy account of some sort.

对于生产环境，我最常看到/使用的模式是将用户名、密码等信息保存在环境本身中，例如:

For the production environment the pattern I have seen/used most often is to keep information like usernames, passwords etc. within the environment itself e.g.:

config.action_mailer.smtp_settings = {
        :address => "address_here",
        :port => 'port_#_here',
        :domain => "example.com",
        :authentication => :plain,
        :user_name => ENV['EMAIL_USERNAME'],
        :password => ENV['EMAIL_PASSWORD'],
        :enable_starttls_auto => true
  }

通过这种方式，攻击者必须能够访问您的生产设备本身才能获取此信息.例如，如果您将应用部署到 Heroku 并为您的电子邮件使用 Sendgrid 插件 - 该插件将使您遵循该模式.

This way an attacker will have to gain access to your production box itself in order to get this info. If you're deploying your app to Heroku for example and using the Sendgrid plugin for you email - the plugin will make you follow that pattern.

这篇关于Rails 邮件程序/smtp - 潜在的安全问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！