My code needs to connect to IMAP and SMTP servers to send out and recieve emails on a periodic basis, currently every 3 mins or so. The typical user flow is as follows
- Log in
- integrate your email by feeding in your IMAP and SMTP details (including emailId and password).
- Go to data
In the background, I run a quartz scheduler which periodically pulls emails from the IMAP server. the web UI and the quartz scheduler run in separate VM’s and talk to each other on REST.
What would be a good way to protect the user’s email credentials in such a scenario? One way hashing will not help because I will never want to ask the user for his password again, but i need to provide credentials to connect on IMAP
Of course, the best way to ensure a password is safe is having a “no return to the original”, but that’s out of the scope of this question 🙂
Having said that, your best option is to encrypt the password on the application code side, using a Private Key that exists only on the server (but not deployed together with the app). You can take a look at Jasypt, which is a tool for encryption for Java. Also, you might want to consider splitting the passphrase for the key into two parts: one coming from some configuration file inside the properties file, and one coming from, perhaps, the database itself.