[codelitt]

I don't believe this would even be an issue if they offered the option to not log sensitive data. I had requested that they provide something like this and someone quite senior reached out to me. He was very polite and professional. He explained that they had to keep this data for operational and compliance reasons and that all email providers are required to. However, that didn't resolve my security concern.

We ended up going with Mandrill which does offer the option to not log sensitive data ^1. Whether they log it somewhere else for the compliance reasons that Mailgun mentioned isn't mentioned anywhere in their docs or privacy policy, but doesn't seem to be accessible from everything I could find. You should never log or allow others to log password reset urls or other sensitive details.

1: See documentation here: https://mandrillapp.com/api/docs/messages.JSON.html#method-s... and search view_content_link

[james_pm]

This needs to be the #1 comment in the thread. If you use a transactional mailer, make sure you are not archiving emails with security-sensitive content.

That includes resets, username reminders, signin notifications, etc.

Also secure access to your transactional mailer account with 2FA and restrict access to those who need to be there (i.e. not your entire support team).

[reaperducer]

More and more "compliance" is an IT industry excuse for "because we want to."

[sgrove]

Honest question, why would you "want to" adhere to compliance? It's almost always more work and more cost, I think.

[nuggien]

The cost of paying fines for non compliance would be more.

[sgrove]

Exactly, that's very different from "because we want to," it's, "because there's a very big stick over our heads if we don't."

I just thought the attitude/assertion was in discord with my own experience/understanding.

[linkmotif]

Can you explain this a bit more, please? I am confused. How does ‘view_content_link’ cause a security problem?

[l_t]

It's the opposite. That is a link to the section of the Mandrill docs, not the Mailgun docs. The view_content_link option fixes the security problem. (In theory, anyway).

[linkmotif]

Right. I understand that having that option lets you mitigate some problem. Can anyone expand on what this option does and how it mitigates the problem? Did I miss something from the blog post?

[l_t]

Sure -- AFAIK the problem was that Mailchimp was hacked, and the hacker was able to see and intercept the password reset links being sent to the customer by looking at Mailchimp log data. This option indicates that links should not be stored in log data, so even if an attacker has compromised your Mandrill account, they should be unable to see the exact reset links that are being sent.

edit: worth noting that there are obviously other ways a hacked Mandrill/Mailchimp account could be abused. This just shuts down one of the major abuses you could perform.

[pilsetnieks]

Mailgun, not Mailchimp.

Those are two entirely separate companies (unlike Mandrill and Mailchimp which is the same company.)

[linkmotif]

Thanks. I did indeed miss critical parts of the post. I will review again.