SMTPAppender reads all of the system properties in method activateOptions in order to setup mail service. This is not necessary because only property mail.smtp.host is required. There is a potential security issue when Java Security Manager is enabled. In policy file, the specific codeBase has to be granted PropertyPermission of read and write for all system properties. This bug was found when starting Tomcat with -security.
Actualy, additional properties may be used, including provider-specific mail- related system properties. For example, user and password credentials, or additional mail factory configuration details, may be specified as system properties. These are passed to the mail Session constructor as the JavaMail API recommended. So mail.smtp.host is not the only property used, and in fact we cannot know in advance the set of properties that will be used.