Lettre_email: Is unencrypted_localhost() safe to use?


When developing my web-application which needs to send automated mails to a user when he or she for examples registers himself or buys something, I used the SmtpTransport::unencrypted_localhost(); from the lettre_email crate.

unencrypted_localhost seemed like a very handy function to test the mail-functionality of my application on my own machine because it allowed me to send mails without setting up a mail server or configuration and I could intercept the mails using a tool like mailcatcher.me.

But now I am deploying my application step-by-step on my VPS. On my VPS I installed and configured a Postfix outgoing-mail-server. And I noticed that the function unencrypted_localhost works perfectly in combination with Postfix to send real mails over the web! I guess because I configured Postfix to act as a loopback and to listen to localhost.

Is it safe to use Lettre_email's unencrypted_localhost function to send mails through Postfix to my users? Or should I use something encrypted? I am asking this question because the 'unencrypted' part is worrying me.


Not specific to email:

Loopback connections are completely private (assuming the machine's network interfaces are not seriously misconfigured): the data is only ever seen by the kernel and the two processes that are talking over the connection.

However, there is a second guarantee that SSL/TLS gives you: that the client is talking to a holder of a valid certificate. This would be a problem if you're sharing your OS with other users who might try to attack your app, and you're using a nonstandard high-numbered (>= 1024) port number (which any process may bind to without privileges). If you're using the default SMTP port number then this is not a problem (as any process that could be pretending to be the SMTP server could also be attacking your application in other ways).

1 Like

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.