The comments pointing out that SMTP doesn’t require authentication are correct. That said, all three of the options you specified are insecure, assuming that the server uses commodity hardware and software. I’ll show why each is insecure, although I won’t follow your original order.

2) A file on the on the server where the password can be read from

3) Somewhere in the MySQL database.

What if someone were to steal the server? Then, they could just open the file or the database, read the password, and immediately have access to all the important information in the company. So unless you have armed guards surrounding the server day and night, this is already pretty insecure.

But it gets worse. No computer system is completely invulnerable to attack, and several well-publicized attacks (Sony’s PlayStation Network, for example) in the past few years have shown that an attacker can get to the contents of disk files and databases without physical access. Furthermore, it seems from your question that the server in question is meant to accept packets (HTTP requests, incoming emails, etc.) from the outside world, which boosts your attack surface.

1) Store the password in the program’s memory, i.e. a private final String field.

This is tempting, but this is even more pernicious than option 2 or option 3. For one thing, a private final string field is stored in the .class file generated by the Java compiler, so with this option you are already storing the unencrypted password on the server’s hard drive. After compromising the server as in option 2 or 3, an attacker can just run javap in order to get the plaintext password out of the .class file.

This approach broadens your attack surface even more, though. If the password is stored as part of the source code, suddenly it’s available to all developers who are working on the code. Under the principle of least privilege, the developers shouldn’t know extra passwords, and there’s a very good reason here. If any of the developers’ machines is stolen or compromised from outside, the attacker can look through the compromised machine’s hard drive and get the plaintext password. Then there’s source control. One of the really important benefits of source control is that it allows you to inspect any prior version of your code. So even if you switch to a secure method in the future, if the password has ever entered source control then the source control server is a potential attack point.

All of these factors add up to show that, even if the HTTP/mail server’s security is top-notch, option 1 increases the attack surface so much that the HTTP/mail server’s security doesn’t really help.

Extra detail: At the beginning I specified “assuming that the server uses commodity hardware and software.” If you aren’t using commodity hardware and software, you can do things like boot from readonly storage and use only an encrypted database, requiring a person to provide the decryption key on every boot. After that, the decrypted information lives in memory only, and is never written to disk. This way, if the server is stolen, an attacker has to unplug the server and so loses all the decrypted information that was only ever in memory. This kinds of setup is sometimes used for a Kerberos KDC (with the server in a locked boxe for extra security), but is rarely used otherwise, and is frankly overkill when there is an easy way to solve your problem without going to all this extra expense.