security,ssl,phpmailer , SMTP ports - SSL vs non-SSL

SMTP ports - SSL vs non-SSL


Tag: security,ssl,phpmailer

I was told today by a support rep at that regardless of whether we connect via SSL or non-SSL, the data is secure as if it is going via SSL. I'm no genius, but I'm also not a complete idiot. And I have a strong feeling that this guy was just giving me false information.

Can someone please clarify for me, if I am using the php mail function, or phpmailer class to send email, and I connect via port 25, using an unsecured connection, is there any chance that a hacker could access that information for malicious purposes?

And if I am wrong, and is correct, then why is there even an option to send via SSL vs non-SSL? If it is truly secure either way?

For reference, here is a transcript of the conversation:

Stan L: Hi, thanks for contacting support. How can I help you?

You: Hi Stan, I noticed that emails being routed through our account stopped this morning about an hour ago. Come to find out it was because we were submitting via the SSL port 465 to host

You: Checked the settings and noticed it was supposed to be, and also that encryption was turned off for some reason.

You: My question is, why was it working up until now?

You: And secondly, how can we ensure that every mail that is sent via is encrypted?

Stan L: Because sometimes it works with the encryption and wrong port but unexpected errors can happen. You do not need to use encryption because you are using SASL authentication when connecting to our servers as protection. So please use these ports: 25. 2525. 25025. 80

You: Okay, Stan. Thanks. Question though...

You: I'm no genius when it comes to this technical stuff but as I understand it, if we want the data to be inaccessible to hackers it should be going via SSL.

You: ?

Stan L: What do you mean by inaccessible? All the data sent through our servers is protected and nobody has access to it from the outside.

You: Okay, awesome. Question.

You: If this is the case, then why would SSL even be an option?

You: Why is SSL via SMTP even available as a setting in phpmail?

Stan L: Because sometimes it can not be turned of in several old software

You: Okay, I'll just post this conversation on StackOverflow and see if the devs have any other comments. It doesn't make sense to me why this is the case.

Stan L: ok sure

Stan L: could you also provide your customer id or login?

You: But surely, you are telling me 100% for sure that if we connect via port 25,, that there is zero chance that the information could be lifted by a hacker?

Stan L: Yes, all the data is secured by our system.

Stan L: could you also please provide your customer id or login?

You: Thank you.


It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL or TLS, your traffic is not being encrypted. As we all know, SMTPS (explicit SSL on port 465) was deprecated in 1998, so SMTP+STARTTLS is the one to go for, and that can work on any port, though 587 is usual for submission.

AFAIK, STARTTLS has nothing to do with SASL. One advantage SMTP+STARTTLS has over SMTPS is that it can co-exist with non-encrypted traffic on the same port, so you can connect to an insecure port (say, 25), then send a STARTTLS command, and from that point onwards it's encrypted and you're generally safe to use things like AUTH PLAIN logins.

It may be possible to make use of SASL indirectly when using the mail() function if your local mail server is configured to relay, authenticate and connect to the server appropriately, i.e. it's not a PHP thing.


Subject Alternative Name not present in certificate

I have generated a CSR that includes the field subject alt names: openssl req -out mycsr.pem -new -key mykey.pem -days 365 When I inspect this it looks as expected with a new field present: X509v3 Subject Alternative Name: DNS: my.alt.dns However when I use this to sign a certificate that...

How to create a private certificate for connecting to a website

My apologies if this is a duplicate, I may just not be using the correct terminology in my queries to find what I am looking for. I have a vendor that sent me a certificate to install in my browser so that we can access their website. We cannot get...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Roundcube - Nginx does not redirect to .php file automatically

EDITED! I set up a mail server on Debian 7 with Nginx, Postfix, Postfixadmin, Dovecot and Roundcube. I tried to create an alias to use the SSL certificate of my domain (of course, the domain here is an example) for the webmail. When accessing the following URL -...

ssl certificate with and without www

I have a website that installed a ssl certificate for the name of It works fine for But it doesn't work for The browser gave me Error code: ssl_error_bad_cert_domain. I am using Apache 2. I tried to rewrite the url to add www in httpd-ssl.conf, see the...

SSLV3_ALERT_HANDSHAKE_FAILURE with SNI using Tornado 4.2 in Python 2.9.10

I have an issue setting the SNI flag correctly using ssl.SSLContext in Python 2.7.10, the handshake fails every time and I can't figure out why. Here is how I tried to do it: import ssl import socket if ssl.HAS_SNI: print "SNI is available" print(ssl.OPENSSL_VERSION) context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) context.load_cert_chain('cacrt.pem', 'cakey.pem', 'password')...

When a security update is applied as a patch, does the product name change?

When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...

Create OpenSSL certificates signed by myself

I'm using boost ssl for server and client, and I have a model for server/client program in my mind, and I'm not sure it's gonna work. The model I have in my mind is to be the only authority for certificates of my program. My main question is: How can...

SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key?

Wouldn't anyone else be able to decrypt it too using the public key? Or is it saying that it will be decrypted with a private key. If that's the case how could something be encrypted with one key and decrypted with another? This is in reference to this wikipedia article....

How do you unblock the 993 port if your firewall settings is blocking it?

I am trying to retrieve my emails from Gmail using php. for writing the host name, this is my code: $hostname = '{}INBOX'; I am getting this error: Warning: imap_open(): Couldn't open stream {}INBOX in /home1/mtc/public_html/mtcerp/emailparser/email.php on line 10 Cannot connect to Gmail: Can not authenticate to IMAP server: [CLOSED]...

Reverse ^ operator for decryption

I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

User process can't see global shared memory created by service

I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...

Protect images download theory

I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...

Am I safe?? [trying to prevent sql injection] [duplicate]

This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'&quot').replace(/'/,'&#39'); //do more script stuff with...

Wildfly mysql with SSL

I have a web app using a mysql database as its data store. It is currently running in Glassfish and talking to that mysql database with SSL. I am thinking about migrating to Wildfly but I can't seem to create a Wildfly datasource that will talk to the mysql database...

Placing secure data in Java web application

The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...

Java client certificates and keystores

we are trying to build a MUTUAL/2WAY authentication mechanism. Because we hit two different hosts, we have the same client certificate stored in the client keystore container under two different aliases (please note the same fingerprint): [email protected]:/opt/golem# keytool -list -keystore ./client.keystore -storepass ________ Keystore type: JKS Keystore provider: SUN Your...

Android encryption and decryption of text fails

I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Redirecting http to https

I'd like to redirect all of my http traffic to https, currently in my htaccess file I have the following redirecting my http traffic: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] </IfModule> This redirects all of my non-www to www. What is the best way to...

How to secure configuration file containing database username and password

Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

SSL Handshake in Java Servlet (HttpsURLConnection)

I have a java web application that requires a servlet to open a connection with a url that returns some data in the form of JSON back to the servlet for processing. Traditionally this was done using an HttpURLConnection and everything worked as planned. Now, we have added as self-signed...

How to make a website work only with https [duplicate],ssl,https
This question already has an answer here: How to force HTTPS using a web.config file 3 answers How do I make a website to work only with https? Is there any method to make my website work only if the protocol is https? For example let me say,...

Rails, DNSimple, Heroku and SSL - do I need a certificate?

So I'm currently deploying my app via Heroku. I noticed that in has HTTPS, so if I do config.force_ssl = true in my environments/production.rb it seems like I have wildcare SSL, right? Now I'm using DNSimple to get my actual name - call it Which currently resolves to...

serving GAE applications over http

I have implemented an application on GAE which can be accessible through https://<my_app_id> Now I have a custom domain registered with As described in GAE documentation I have mapped my custom domain to https://<my_app_id> and I see my application getting served from my custom domain. But I see requests...

ArgumentError - unknown SSL method `TLSv1_2'

I am trying to move my AWS integration over TLS instead of SSLv3, but I'm receiving an error when trying to set the config.fog_credentials as another SO post has suggested, but I am receiving the ArgumentError above (unknown SSL method 'TLSv1_2'. I am open to a different solution to move...

Same system, same code, different behaviors: The request was aborted: Could not create SSL/TLS secure channel

There are many questions about "The request was aborted: Could not create SSL/TLS secure channel." error message and it seems very few of them were answered. I couldn't find any answer about my case, also my problem is little bit different. I have a Windows Service. It sends data to...

NPM Error: self signed certificate in certificate chain

I am following the Angular 2 quick start guide and I'm stuck right at the beginning of it. My company is filtering our network connections and modifying SSL negociation. In a man in the middle style they assign a self signed certificate as the CA of the destination's certificate. Therefore...

Server Authentication in Swift 2.0 & XCode 7 broken

I just updated my code to Swift 2.0 to work with Xcode 7. My App performs NSURLAuthenticationMethodServerTrust and NSURLAuthenticationMethodClientCertificate authentication. The problem is NSURLAuthenticationMethodServerTrust authentication stopped working on my simulator - but still works on my test device with iOS 8.3. Besides my old project which is not Swift 2.0,...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

Code fails for decrypting without salt or iv in Java

I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

Issue with understanding keystore and ssl

These are the facts: I have a client(android)-server(java - Ubuntu 14.04)-program with which I transmit my gps-data from my smartphone every 5 minutes to the server saving it into a mysql-database. My problem is that I do not want to transmit my GPS data plain. So I want to use...

File security System in java? [on hold]

i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...

Run Golang as www-data

When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...

Is client-side java intrinsically less secure than javascript?

Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

How to restrict file copying shared using Content Provider in Android?

Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Role concept in the authorization

I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

I am working on an Android app that requires Client Certificate Authentication (with PKCS 12 files). Following the deprecation of all that's apache.http.*, we have started a pretty big work of refactoring on our network layer, and we have decided to go with OkHttp as a replacement, and so far...

Hide sensitive information from git changes

Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

Self-signed Certificate and Client Keystore for SSL Authentication

I need to create and install a self-signed certificate on the server (an XML hardware appliance) to do SSL authentication of a Java client/application which, through its interface configuration, can set keystores, i.e. .jks. I only need this setup for testing purposes and not production, for obvious reasons. Here's how...

Is it possible for a user to modify site javascript in browser?

I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...

Starting a tls communication with python asyncio

I have some python code snippet that uses asyncio and initiates a "plain" connection: loop = asyncio.get_event_loop() coro = loop.create_connection(lambda: MyCustomClassProtocol(loop), sock=client_socket) loop.run_until_complete(coro) The point is my plain connection switches to a tls one once some exchanges have happened. In the traditional way one would do this: ssl_sock = ssl.wrap_socket(client_socket,...

How does DNS server know the IP address of an SSL's URL?

The SSL/TLS (https) protocol encrypts both of the web page url and its content. So I'm wondering how could the DNS server know the ip address of the requested url if it is encrypted? Any documented reference or idea?

Getting SSLHandshakeException in java

I ma getting SSL Hand Shake error in eclipse while calling https restful web service from simple java stub but, can access this URL from browser after importing Client Digital Certificate to browser which was shared by service provider. Hiding End point URL for security purpose. Please help me, i...

What damage can a website do?

Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...

salt created by Java SecureRandom has different getBytes() value [duplicate]

This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...

Websocket SSL connection

I am trying to test a secure websocket but I'm having trouble. Here is my test: var WebSocket = require('ws'); describe('testing Web Socket', function() { it('should do stuff', function(done) { var ws = new WebSocket('wss://localhost:15449/', { protocolVersion: 8, origin: 'https://localhost:15449' }); ws.on('open', function() { console.log('open!!!'); done(); }); console.log(ws); }); });...

RSA encryption in Android and Java

I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...

Wildcard SSL - Which to chose and what is the key differences?

I have been left in confusion for quite some time in deciding which CA should i approach to obtain a SSL certificate. Much comparison has been made from different CA but I do not see what is the key differences that sets each other apart except the price they offer....

How to disable common name check in SSLContext in java?

I am using SSLContext so set up Jersey client, and need to disable the common name check in order to avoid unnecessary issues. However, I can find no documentation as to how we can do it correctly. So is the common name check disabled by default in SSLContext (assuming using...

How can i get Certificate issuer information in python?

I want the 'issued to' information from certificate in python. I try to use the SSL and SSLSocket library but did not happen. ...