Veeam sending SMTP password as username in plaintext

[ilovepancakes]

I have setup email notifications in Veeam B&R by adding my SMTP server and username and password.

My mail server shows log entries every day that the machine running Veeam (known by IP address) is submitting a username to the SMTP server and attempting to login, and this username doesn't exist so the login fails. The log entry shows the username that Veeam is trying to login with and it's the password set for that SMTP server. Veeam is attempting to use the password entered into it for the SMTP server as the username. What is strange though, is following entries in the mail server logs show Veeam then does login successfully after trying the actual username I entered, and email alerts work fine from Veeam. Yet, the following day, and every day after, Veeam always makes at least 1 or 2 attempts to login using the password as the username. This is a security issue because it is sending the password as username, which then gets stored in plaintext in logs. Below is a smtpd log entry from my mail server showing how Veeam attempts to use a password (in parenthesis) as the username when logging in to mail server.

Code: Select all

smtpd (total: 1)
         1   Convert login account (c2p0lT2r6ghsy6jHi15dhw6m0zYybU) failed

Support Case #: 04773542 (Case closed and unanswered because I'm using free Veeam)

[PetrM]

Hi Chris,

I've asked our support team to review the case, I'll update the topic once I have more information.

Thanks!

[PetrM]

Hi Chris,

As far as I see, a spin-off case (04788620) is created and it's being researched by our senior support engineers, it seems that everything is on right track.

Thanks!