I think it is normal. When using SMTP server, some authentication protocol is required. Usually, encrypted data is irreversible. We can not decript it. Therefore, password is stored in the database without being encrypted. Q2A seems to use LOGIN authentication type. In this type, password encoded with Base64 is sent to the transmission line. This is not dangerous, but it is also not safe. We should consider to use CRAM-MD5 that does not send passwords to the transmission line.