I was told today by a support rep at SMTP.com that regardless of whether we connect via SSL or non-SSL, the data is secure as if it is going via SSL. I'm no genius, but I'm also not a complete idiot. And I have a strong feeling that this guy was just giving me false information.
Can someone please clarify for me, if I am using the php mail function, or phpmailer class to send email, and I connect via port 25, using an unsecured connection, is there any chance that a hacker could access that information for malicious purposes?
And if I am wrong, and SMTP.com is correct, then why is there even an option to send via SSL vs non-SSL? If it is truly secure either way?
For reference, here is a transcript of the conversation:
Stan L: Hi, thanks for contacting support. How can I help you?
You: Hi Stan, I noticed that emails being routed through our SMTP.com account stopped this morning about an hour ago. Come to find out it was because we were submitting via the SSL port 465 to host smtp.com.
You: Checked the settings and noticed it was supposed to be retail.smtp.com, and also that encryption was turned off for some reason.
You: My question is, why was it working up until now?
You: And secondly, how can we ensure that every mail that is sent via smtp.com is encrypted?
Stan L: Because sometimes it works with the encryption and wrong port but unexpected errors can happen. You do not need to use encryption because you are using SASL authentication when connecting to our servers as protection. So please use these ports: 25. 2525. 25025. 80
You: Okay, Stan. Thanks. Question though...
You: I'm no genius when it comes to this technical stuff but as I understand it, if we want the data to be inaccessible to hackers it should be going via SSL.
You: ?
Stan L: What do you mean by inaccessible? All the data sent through our servers is protected and nobody has access to it from the outside.
You: Okay, awesome. Question.
You: If this is the case, then why would SSL even be an option?
You: Why is SSL via SMTP even available as a setting in phpmail?
Stan L: Because sometimes it can not be turned of in several old software
You: Okay, I'll just post this conversation on StackOverflow and see if the devs have any other comments. It doesn't make sense to me why this is the case.
Stan L: ok sure
Stan L: could you also provide your customer id or login?
You: But surely, you are telling me 100% for sure that if we connect via port 25, retail.smtp.com, that there is zero chance that the information could be lifted by a hacker?
Stan L: Yes, all the data is secured by our system.
Stan L: could you also please provide your customer id or login?
You: Thank you.
It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL or TLS, your traffic is not being encrypted. As we all know, SMTPS (explicit SSL on port 465) was deprecated in 1998, so SMTP+STARTTLS is the one to go for, and that can work on any port, though 587 is usual for submission.
AFAIK, STARTTLS has nothing to do with SASL. One advantage SMTP+STARTTLS has over SMTPS is that it can co-exist with non-encrypted traffic on the same port, so you can connect to an insecure port (say, 25), then send a STARTTLS command, and from that point onwards it's encrypted and you're generally safe to use things like AUTH PLAIN logins.
It may be possible to make use of SASL indirectly when using the
mail()function if your local mail server is configured to relay, authenticate and connect to the smtp.com server appropriately, i.e. it's not a PHP thing.