Mailgun smtp_password change in GET /domains and /domains/ API calls

I’m on 2.8.4 Parse Server, on which we use a Mailgun adapter for password reset. Today we got this email:

Hey there,

In our continual efforts to uphold the highest security standards possible to protect our customers, starting November 1, 2021, we will no longer return a value for the smtp_password parameter in GET /domains and /domains/ API calls. Why we’re doing this As a security best practice, we are moving towards hashing SMTP passwords, just as we do with all other passwords on our platform. Due to this new standard, we will be unable to show the passwords in plain text once they are hashed and stored in our secure database. How this impacts you After this change, you will no longer be able to view the SMTP password in plain text and must store the password on your end – ideally using a secure password manager. Depending on your configuration, any applications reliant on the smtp_password parameter could throw errors. What you need to do After securely storing your SMTP password, you will need to update any reliant systems. Applications that are expecting the plain text password in the API response will need to be updated to no longer rely on the password in order to function correctly. We’ve created an FAQ to help you make the change.

I’m not sure if it affects us or not.

Parse mailgun adapter uses mailgun v3.2.1. And by looking at the mailgun source code seems like you dont need smtp password. I assume mailgun recieve a mail sending request and send mail from their own servers. So you are not sending email from parse server. You are just sending a request to mailgun and they send the mail. This shouldnt effect parse mailgun adapter.

Edit: mailgun-js/request.ts at f0c7ea6282ce83d44919805515ed37d12e82551b · mailgun/mailgun-js · GitHub

Also sending mail request is POST request. So you are not sending GET request (which they are planning to change behaviour) and this should not effect you.

1 Like