SMTP 端口 - SSL 与非 SSL
SMTP ports - SSL vs non-SSL
今天 SMTP.com 的支持代表告诉我,无论我们是通过 SSL 还是非 SSL 连接,数据都是安全的,就像通过 SSL 一样。我不是天才,但我也不是一个彻头彻尾的白痴。而且我有一种强烈的感觉,这家伙只是在给我提供虚假信息。
如果我使用 php 邮件功能或 phpmailer class 发送电子邮件,并且我通过端口 25 连接,使用不安全的连接,黑客是否有可能出于恶意目的访问该信息?
如果我错了,而 SMTP.com 是正确的,那么为什么还有通过 SSL 与非 SSL 发送的选项?这两种方式是否真的安全?
作为参考,这里是谈话的记录:
Stan L: Hi, thanks for contacting support. How can I help you?
You: Hi Stan, I noticed that emails being routed through our SMTP.com account stopped this morning about an hour ago. Come to find out it was because we were submitting via the SSL port 465 to host smtp.com.
You: Checked the settings and noticed it was supposed to be retail.smtp.com, and also that encryption was turned off for some reason.
You: My question is, why was it working up until now?
You: And secondly, how can we ensure that every mail that is sent via smtp.com is encrypted?
Stan L: Because sometimes it works with the encryption and wrong port but unexpected errors can happen. You do not need to use encryption because you are using SASL authentication when connecting to our servers as protection. So please use these ports: 25. 2525. 25025. 80
You: Okay, Stan. Thanks. Question though...
You: I'm no genius when it comes to this technical stuff but as I understand it, if we want the data to be inaccessible to hackers it should be going via SSL.
You: ?
Stan L: What do you mean by inaccessible?
All the data sent through our servers is protected and nobody has access to it from the outside.
You: Okay, awesome. Question.
You: If this is the case, then why would SSL even be an option?
You: Why is SSL via SMTP even available as a setting in phpmail?
Stan L: Because sometimes it can not be turned of in several old software
You: Okay, I'll just post this conversation on Whosebug and see if the devs have any other comments. It doesn't make sense to me why this is the case.
Stan L: ok sure
Stan L: could you also provide your customer id or login?
You: But surely, you are telling me 100% for sure that if we connect via port 25, retail.smtp.com, that there is zero chance that the information could be lifted by a hacker?
Stan L: Yes, all the data is secured by our system.
Stan L: could you also please provide your customer id or login?
You: Thank you.
正如他们所说,可能可以使用 SASL 加密所有流量,但区别是学术上的,因为 PHPMailer 不支持 SASL 进行身份验证或任何后续流量,但支持 SSL 和 TLS .因此,如果您使用 PHPMailer 向他们发送邮件并且您没有使用 SSL 或 TLS,则您的流量 未 被加密。众所周知,SMTPS(端口 465 上的显式 SSL)已于 1998 年弃用,因此 SMTP+STARTTLS 是首选,它可以在任何端口上工作,尽管 587 通常用于提交。
据我所知,STARTTLS 与 SASL 无关。 SMTP+STARTTLS 优于 SMTPS 的一个优势是它可以与同一端口上的非加密流量共存,因此您可以连接到不安全的端口(比如 25),然后发送 STARTTLS 命令,然后从该点开始它是加密的,你通常可以安全地使用 AUTH PLAIN 登录。
如果您的本地邮件服务器配置为中继、验证并适当连接到 smtp.com 服务器,则在使用 mail() 函数时可能会间接使用 SASL,即它不是PHP 东西。
今天 SMTP.com 的支持代表告诉我,无论我们是通过 SSL 还是非 SSL 连接,数据都是安全的,就像通过 SSL 一样。我不是天才,但我也不是一个彻头彻尾的白痴。而且我有一种强烈的感觉,这家伙只是在给我提供虚假信息。
如果我使用 php 邮件功能或 phpmailer class 发送电子邮件,并且我通过端口 25 连接,使用不安全的连接,黑客是否有可能出于恶意目的访问该信息?
如果我错了,而 SMTP.com 是正确的,那么为什么还有通过 SSL 与非 SSL 发送的选项?这两种方式是否真的安全?
作为参考,这里是谈话的记录:
Stan L: Hi, thanks for contacting support. How can I help you?
You: Hi Stan, I noticed that emails being routed through our SMTP.com account stopped this morning about an hour ago. Come to find out it was because we were submitting via the SSL port 465 to host smtp.com.
You: Checked the settings and noticed it was supposed to be retail.smtp.com, and also that encryption was turned off for some reason.
You: My question is, why was it working up until now?
You: And secondly, how can we ensure that every mail that is sent via smtp.com is encrypted?
Stan L: Because sometimes it works with the encryption and wrong port but unexpected errors can happen. You do not need to use encryption because you are using SASL authentication when connecting to our servers as protection. So please use these ports: 25. 2525. 25025. 80
You: Okay, Stan. Thanks. Question though...
You: I'm no genius when it comes to this technical stuff but as I understand it, if we want the data to be inaccessible to hackers it should be going via SSL.
You: ?
Stan L: What do you mean by inaccessible? All the data sent through our servers is protected and nobody has access to it from the outside.
You: Okay, awesome. Question.
You: If this is the case, then why would SSL even be an option?
You: Why is SSL via SMTP even available as a setting in phpmail?
Stan L: Because sometimes it can not be turned of in several old software
You: Okay, I'll just post this conversation on Whosebug and see if the devs have any other comments. It doesn't make sense to me why this is the case.
Stan L: ok sure
Stan L: could you also provide your customer id or login?
You: But surely, you are telling me 100% for sure that if we connect via port 25, retail.smtp.com, that there is zero chance that the information could be lifted by a hacker?
Stan L: Yes, all the data is secured by our system.
Stan L: could you also please provide your customer id or login?
You: Thank you.
正如他们所说,可能可以使用 SASL 加密所有流量,但区别是学术上的,因为 PHPMailer 不支持 SASL 进行身份验证或任何后续流量,但支持 SSL 和 TLS .因此,如果您使用 PHPMailer 向他们发送邮件并且您没有使用 SSL 或 TLS,则您的流量 未 被加密。众所周知,SMTPS(端口 465 上的显式 SSL)已于 1998 年弃用,因此 SMTP+STARTTLS 是首选,它可以在任何端口上工作,尽管 587 通常用于提交。
据我所知,STARTTLS 与 SASL 无关。 SMTP+STARTTLS 优于 SMTPS 的一个优势是它可以与同一端口上的非加密流量共存,因此您可以连接到不安全的端口(比如 25),然后发送 STARTTLS 命令,然后从该点开始它是加密的,你通常可以安全地使用 AUTH PLAIN 登录。
如果您的本地邮件服务器配置为中继、验证并适当连接到 smtp.com 服务器,则在使用 mail() 函数时可能会间接使用 SASL,即它不是PHP 东西。