Drupal 7 password reset request shows contents of email in browser

Question

I am running a Drupal 7.41 site on PHP Version 5.2.17. I requested a password reset, and above the usual "Further instructions have been sent to your e-mail address" message, I got a long debug-type message which begins

2015-10-29 12:24:13 Connection: opening to 127.0.0.1:25, t=10, opt=array ( ) 2015-10-29 12:24:13 Connection: opened 2015-10-29 12:24:13 SMTP -> get_lines(): $data was "" 2015-10-29 12:24:13 SMTP -> get_lines(): $str is...

and ends

SMTP -> get_lines(): $data was "" 2015-10-29 12:24:13 SMTP -> get_lines(): $str is "250 Reset OK " 2015-10-29 12:24:13 SMTP -> get_lines(): $data is "250 Reset OK " 2015-10-29 12:24:13 SERVER -> CLIENT: 250 Reset OK

In the middle of all this it actually shows the password reset link - so anyone requesting a password reset can just go to this link and log straight in.

What on earth have I done to make my site so insecure??

Answer 1

Here are the things which I did to solve this:

1) Checked /admin/reports/status for problems.

2) Checked that /admin/config/development/logging had 'Error messages to display' set to None.

3) Checked that I didn't have any development-specific modules running.

4) Installed https://www.drupal.org/project/security_review and followed its recommendations.

5) Realised that I had installed https://www.drupal.org/project/phpmailer to send emails...

6) Checked the configuration of phpmailer at /admin/config/system/phpmailer, and found that under 'Advanced SMTP settings', I had 'Debug level' set to 'Full communication'. Kicked myself for being such an idiot, and changed it to 'Disabled'.

Problem solved.