Recommend mandatory STARTTLS for Google

[c960657]

Summary

The Action Mailer guide recommends using opportunistic TLS (enable_starttls_auto: true) for connecting to smtp.google.com.

This setting is vulnerable to man-in-the-middle attacks. Google definitely supports STARTTLS, so this should be required using enable_starttls: true.

[ghiculescu]

This option isn't documented here

rails/actionmailer/lib/action_mailer/base.rb

Line 405 in 603631b

# * <tt>:enable_starttls_auto</tt> - Detects if STARTTLS is enabled in your SMTP server and starts

Should it be?

[c960657]

I just realised that enable_starttls was added in mail version 2.7.0. Surprisingly, the auto-feature was added first.

Action Mailer currently requires version 2.5.4.

I don't think there is any reason to bump the requirement just because of the guide, but the new option definitely deserves to be mentioned. I'll fix.

[c960657]

Arg, I made this fix a long time ago but I somehow failed to push my branch. In the meantime this option has been documented in #44096.

[ghiculescu]

So if you are using an older version of mail and set this option, will that be fine?

[c960657]

I have added a note about this.

[rails-bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

[rails-bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

[gregmolnar]

@ghiculescu Is this one still good to be merged?

[ghiculescu]

I think so, but it needs to be reviewed by someone from the core or committer teams. They will get to it, it can jus take a little while. Thank you for keeping it open.