When the SMTP connection is not set up correctly, or failing due to other reasons like #17026, requesting for password recovery currently displays the full error message returned from the SMTP server. This could for example include the sender mail address or the login.
As the password recovery is public available we should consider not showing the full error message in this case.
I suppose in many cases the login be the same as the sender and the sender is kind of maybe guessable? Nonetheless could be replaced maybe automatically by catching exception and throwing it again?