Does net/smtp send credentials in plain text?

I'm looking at this example. http://golang.org/pkg/net/smtp/#example_PlainAuth

package main

import (
	"log"
	"net/smtp"
)

func main() {
	// Set up authentication information.
	auth := smtp.PlainAuth("", "user@example.com", "password", "mail.example.com")

	to := []string{"recipient@example.net"}
	mesg := []byte("This is the email body.")

	err := smtp.SendMail("mail.example.com:25", auth, "sender@example.org", to, mesg)
	if err != nil {
		log.Fatal(err)
	}
}

Does smtp.PlainAuth send credentials to the mail server in plain text? Is it safe to use net/smtp in the wild?

PlainAuth uses the Plain auth mech from RFC 4616, which is the username/password in plain cleartext. Normally when you are using this, encryption will be handled at a lower level, for example you will create a TLS connection. and then use PlainAuth over that. If you are not talking over an encrypted connection, then use of PlainAuth can be risky as if the traffic is intercepted, the user/pass are easy to get.

but if you read, you will see the SendMail function says the following:

> SendMail connects to the server at addr, switches to TLS if possible, authenticates with the optional mechanism a if possible, and then sends an email from address from, to addresses to, with message msg.

So it will try to automatically upgrade to TLS where possible for you. So as long as you are using servers that support TLS, you should be relatively safe. The other Auth choice is CramMD5, but server support for this method is generally less common than PlainAuth which most everything supports.