What are best practices for storing SMTP credentials in an asp.net application?

I have created several asp.net application that send email in the past but I have always been unsure of where to store the SMTP credentials. I usually just create a separate XML 开发者_开发问答file to store this information but I am not sure if this is the best way.

What are best practices when storing SMTP credentials for an asp.net application?

Should SMTP credentials be stored in the web.config?

You should ask your self: Where do you store your Connection String?

If web.config is secure enough for your DB credentials, i don't see any reason why SMTP ones should differ..

So my pick would be - wherever you store your Connection String.

Am I stating the obvious?

<configuration>
    <system.net>
        <mailSettings>
            <smtp>
            </smtp>
        </mailSettings>
    </system.net>
<configuration>

Subjective tag?

I would store in web.config if I had my druthers. I've been at places that stored them in a DB with a call to the DB for those credentials any time an email needed to be sent (yuck).

I would give the advice to set the SMTP server to NTLM authentication only, and run the web application as an authorized user for the server. No credentials are then stored except the IP of the SMTP server.

Obviously if you're using Gmail this isn't an option, in which case store it in your own separate Section with an encrypted username and password. You could argue however, that if they have access to your web config they're more than likely to have access to your source files or de-compilable binaries.