Why should I adjust SMTP settings for a pentest?

At the start of a security assessment (pentest), we ask you to temporarily adjust the SMTP settings of your application. By setting the SMTP settings supplied by us, our researchers / pentesters are able to view all e-mail messages that are sent via your application. 

What are SMTP settings?

These settings are used for sending email messages from your application. By sending messages via our server, it is possible for us to view all messages.

Why set other SMTP settings?

This improves the effectiveness and completeness of the research. For example, applications often send emails in the background that would normally not be visible. By setting the SMTP data, our researchers have more insight into the functionalities and can be tested better. In addition, it enables our researchers to collaborate more easily because they can easily view all e-mail messages sent.

Is setting up SMTP difficult?

In most applications and development frameworks, SMTP settings can be set very easily. This can often be adjusted in the central configuration. Therefore, setting up SMTP does not entail additional (development) costs.

Our application sends email via an API and not via SMTP

No problem, instead of setting SMTP settings, it is also possible to forward all email messages to an email address that we will provide. 

Is it necessary to set SMTP settings?

No, in principle the researchers can test without these settings being set. However, this is at the expense of the effectiveness and completeness of the research.