Today I was configuring ELMAH to send emails when an exception occurs on my new blog. While looking for the config options, I noticed that a lot of the snippets being posted around suggests people are putting usernames and passwords in their config files to make this work. That's pretty scary! :(

Because SMTP is a bit crap, you don't actually need to authenticate to send email. Most SMTP servers are locked down to stop relaying, but if you deliver directly to the recipients server, the mail will (usually) be accepted anonymously. I sayusually because your email could be rejected based on the From header if something like DomainKeys is set up for that domain.

To configure ELMAH to send mail without authentication, simply look up an MX record for the domain you wish to send the email to, and use that as the SMTP Server. Eg., if you're using Google Apps (like me), you could do something like this:

<errorMail
	from="&quot;Blog Error;quot; &lt;blog+errors@fakedomain.com&gt;"
	to="&quot;Blog Errors&quot; &lt;blog+errors@fakedomain.com&gt;"
	smtpServer="aspmx.l.google.com" />

This means you don't need to put your email username/password in the config file to receive emails about your exceptions.