SMTP ports - SSL vs non-SSL

Question

I was told today by a support rep at SMTP.com that regardless of whether we connect via SSL or non-SSL, the data is secure as if it is going via SSL. I'm no genius, but I'm also not a complete idiot. And I have a strong feeling that this guy was just giving me false information.

Can someone please clarify for me, if I am using the php mail function, or phpmailer class to send email, and I connect via port 25, using an unsecured connection, is there any chance that a hacker could access that information for malicious purposes?

And if I am wrong, and SMTP.com is correct, then why is there even an option to send via SSL vs non-SSL? If it is truly secure either way?

For reference, here is a transcript of the conversation:

Stan L: Hi, thanks for contacting support. How can I help you?

You: Hi Stan, I noticed that emails being routed through our SMTP.com account stopped this morning about an hour ago. Come to find out it was because we were submitting via the SSL port 465 to host smtp.com.

You: Checked the settings and noticed it was supposed to be retail.smtp.com, and also that encryption was turned off for some reason.

You: My question is, why was it working up until now?

You: And secondly, how can we ensure that every mail that is sent via smtp.com is encrypted?

Stan L: Because sometimes it works with the encryption and wrong port but unexpected errors can happen. You do not need to use encryption because you are using SASL authentication when connecting to our servers as protection. So please use these ports: 25. 2525. 25025. 80

You: Okay, Stan. Thanks. Question though...

You: I'm no genius when it comes to this technical stuff but as I understand it, if we want the data to be inaccessible to hackers it should be going via SSL.

You: ?

Stan L: What do you mean by inaccessible? All the data sent through our servers is protected and nobody has access to it from the outside.

You: Okay, awesome. Question.

You: If this is the case, then why would SSL even be an option?

You: Why is SSL via SMTP even available as a setting in phpmail?

Stan L: Because sometimes it can not be turned of in several old software

You: Okay, I'll just post this conversation on StackOverflow and see if the devs have any other comments. It doesn't make sense to me why this is the case.

Stan L: ok sure

Stan L: could you also provide your customer id or login?

You: But surely, you are telling me 100% for sure that if we connect via port 25, retail.smtp.com, that there is zero chance that the information could be lifted by a hacker?

Stan L: Yes, all the data is secured by our system.

Stan L: could you also please provide your customer id or login?

You: Thank you.

Might want to have a look at this other question: http://stackoverflow.com/questions/11347304/security-authentication-ssl-vs-sasl — Thomas Orozco, Jun 10 '15 at 17:21
Well, that clear it up! SMTP.com: 1, Me: 0. To be continued. — FurryWombat, Jun 10 '15 at 17:33
@FurryWombat It's a bit more subtle than that. I'd say the username is protected with SASL authentication, but the message content isn't necessarily. I'm not sure whether that particular SASL mechanism would provide server authentication first either. That said, chances are you might be able to use SSL/TLS via SMTP+STARTTLS (on port 25 or others they have available) if you can use SSL/TLS via SMTPS (port 465). — Bruno, Jun 10 '15 at 17:34
Interesting... I will explore this further with SMTP.com, and report back with findings. — FurryWombat, Jun 10 '15 at 17:45
I'm being told that the information is secure, because of StartTLS. And that, regardless of the port we are using to connect with SMTP.com, the data is encrypted both between our server and SMTP.com, and between SMTP.com and the recipient. Is there any possibility that this information could be false? — FurryWombat, Jun 10 '15 at 18:09

Synchro · Accepted Answer · 2015-06-10T22:13:15.333

2

It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL or TLS, your traffic is not being encrypted. As we all know, SMTPS (explicit SSL on port 465) was deprecated in 1998, so SMTP+STARTTLS is the one to go for, and that can work on any port, though 587 is usual for submission.

AFAIK, STARTTLS has nothing to do with SASL. One advantage SMTP+STARTTLS has over SMTPS is that it can co-exist with non-encrypted traffic on the same port, so you can connect to an insecure port (say, 25), then send a STARTTLS command, and from that point onwards it's encrypted and you're generally safe to use things like AUTH PLAIN logins.

It may be possible to make use of SASL indirectly when using the mail() function if your local mail server is configured to relay, authenticate and connect to the smtp.com server appropriately, i.e. it's not a PHP thing.

edited Jun 10 '15 at 22:13

answered Jun 10 '15 at 21:35

Synchro

35,538
15
81
104

1

It would probably be better if you didn't call SMTPS "SSL" and SMTP+STARTTLS "TLS". It's a common mistake (which a few e-mail clients repeat, including Outlook), but you can actually use SSL or TLS with either modes (see [longer explanation](http://serverfault.com/a/368574/47187)). – Bruno Jun 10 '15 at 22:01
So essentially, I should be connecting to port 587 with TLS encryption set, if I am using PHPMailer or PHP mail() function, making a broad assumption that a server may or may not be configured properly for effective SASL? – FurryWombat Jun 11 '15 at 14:07
The port number doesn't matter (SMTP.com seems to use some odd numbers), but if you set `$mail->SMTPDebug = 2;` in PHPMailer you will see the SMTP conversation and whether it's using STARTTLS. You should expect to see a sequence of `EHLO` -> `STARTTLS` -> `EHLO` -> `AUTH` SMTP commands. – Synchro Jun 11 '15 at 16:21

SMTP ports - SSL vs non-SSL

1 Answers1