password smtp email server are visibles in configuration.php

[gymvago]

Hello. Now, I am using my personal email servers (outlook, gmail, etc) with joomla for interacting with users, but passwords are totaly visibles on file configutarion.php, It is not encrypted. If somebody or hacker acess to this data, then they to access to my personal email, and it is very dangerous. Password database are also visible, but paswords of my personal email is more important for me. What I should to do with this? I have persmisions for this file to 444 (apache:apache). Thanks.

[fcoulter]

It would be a good idea to not use your personal email server, set up a dedicated email account for this purpose.

[Webdongle]

If a hacker can read that file then they have FULL access to your server and you have bigger problems. The hackers would not need to read any info in that file as they already have full access. But if you are still worried https://docs.joomla.org/index.php?title ... ldid=68318

Please also run the fpa viewtopic.php?f=714&t=793531 and post the results ... we can advice on other security issues.

[fcoulter]

The OP doesn't say that anyone has read the configuration.php, he/she is just worried about the fact that someone might.

I don't personally think that it is a good idea to try to move the configuration.php file, it is more trouble than it is worth for the small additional protection it offers.

And actually I think that someone getting access to your personal email would be a bigger problem than having your site hacked, they could potentially get access to all your personal accounts such as bank, paypal, amazon etc. So don't ever use a personal email for this purpose.

Many hosting account accounts will include the option of creating mail boxes which can be used as smtp servers for this purpose. If yours does not you can use a gmail account, just create a new dedicated gmail account for this purpose.

[Webdongle]

The OP doesn't say that anyone has read the configuration.php, he/she is just worried about the fact that someone might. ...

I know. My point is that is not worth worrying about because for a hacker to read that file then they already would have full access to the server.

...
I don't personally think that it is a good idea to try to move the configuration.php file, it is more trouble than it is worth for the small additional protection it offers....

imho it provides no extra protection at all. Hackers who can read that file already have full access to the server so already have the information that is in it.

[fcoulter]

I think that we are largely in agreement. Except for

My point is that is not worth worrying about because for a hacker to read that file then they already would have full access to the server.

It is worth worrying about because for a hacker to read that file and it contains the credentails for a personal email account then they have full access to your life. Just don't ever put personal information in there.

Then in that case all you have to worry about is your site being hacked, which as you say can always be restored.

[Per Yngve Berg]

For Gmail you have to create a separate app password for Joomla to use. Not the password you use your self.

[gymvago]

Just don't ever put personal information in there.

Yes. I think this problem is very important. Finally, I have created a new account on Outlook.com with diferent aliases for each joomla website on my VPS. Maybe, in a future times, will be interesting to achive a method with encrypted passwords.

For Gmail you have to create a separate app password for Joomla to use. Not the password you use your self.

Thanks. I did not know about this, but now I have a new account on outlook.com, anyway I am going to investigate this feature.

[Webdongle]

.... Finally, I have created a new account on Outlook.com with diferent aliases for each joomla website on my VPS....
Thanks. I did not know about this, but now I have a new account on outlook.com, ...

Not very professional having gmail addresses. Best setup the email address on your Host's CP and use the php mailer. you@yoursite .com than you@gmail .com. Personally I avoid sites that have gmail (or other free emails like yahoo) because they look like businesses that are operated from a bedroom.

[gymvago]

Personally I avoid sites that have gmail (or other free emails like yahoo) because they look like businesses that are operated from a bedroom.

Yes, it is true and you have reason, however, my websites are not profesional, and I have not installed a "administrator panel" (I prefer to learn with a LAMP installation than to use a Cpanel, very expensive moreover, or Virtualmin), neither a mail server features, because on this way i avoid to fight with spam problems. Later, I plan to buy the mail function in some provider (Gsuite, Office 365, OVH Mail, etc) and to create personal email directions with my domains, out of my vps; or maybe, to rent a new vps only mail porpouses.

[Webdongle]

You will get spam whichever mail server you use.