A service like this might only be exposed internally to trusted servers. Depends on the setup.

> This service defaults to no authentication.

That default really did not work out well for MongoDB[1]. Why are we perpetuating this mistake?

[1] https://www.bleepingcomputer.com/news/security/mongodb-apoca...

Perhaps, more importantly, that didn't work out very well for smtp either ; aka "open relay".

I haven't tried it myself (and won't) but given this section "Passing Secrets" in the README [1] I dont think its authless.

[1] https://github.com/dthree/mailit/blob/master/readme.md#passi...

Those secrets are for Mailit itself to connect and authenticate against the email server.

It's not _worse_, it's just designed for a use case that expects it to only be available to services that are allowed to send email.