Search code examples
phpsecurityemailjoomlamta

Is server to server email transmission secure?

We are running a website with a web to email form. We force https to secure the transmission from the browser to the web server. From the web server we use PHP to generate an email message containing the information received. The destination email server is in another location. I am wondering if the transmission of the email from the web server to the destination email server is secure.

So I have several related questions:

A) Is the transmission of emails from the sender server to the recipient server secured by default? (To be clear, this is NOT a question about the connection from an email client to an SMTP server)

B) if the transmission is not secured by default, how can I check if messages are being transmitted securely?

C) if transmission is currently not secured, how can I request/force a secure connection?

We are using the default PHP mail function (via a Joomla extension)

Thank you!

Solution

  • A) initially, a server-to-server smtp connection is always in plain text on port 25. if both source and target server support the TLS extension then usually the plain connection gets converted into a encrypted connection with the STARTTLS command

    B) To check if a mail was transmitted over an encrypted connection, read the "Received"-Headers in the resulting message after it was transmitted.

    They look like this:

    Received: from X.example.com (X.example.com [y.y.y.y])
    by z.example.net (Postfix) with ESMTPS id ......

    The important part is the ESMTPS bit. The last S means "SECURED". If it just says "ESMTP" or "SMTP" instead of "ESMTPS" the transmission was not encrypted.

    C) if the target server does not support TLS there is nothing you can do except some sort of end-to-end encryption like PGP (as suggested by Álvaro G. Vicario). Some servers (like postfix) provide configuration options to prevent messages from going out at all if the target can not do TLS.

    you can test manually with telnet if a server supports STARTTLS:

    telnet gmail-smtp-in.l.google.com 25
Trying 173.194.70.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP 4si1878861eee.197 - gsmtp
EHLO mail.example.com              <--- you have to type that
250-mx.google.com at your service
250-SIZE 35882577
250-8BITMIME
250-STARTTLS                       <----- GMAIL supports TLS
250 ENHANCEDSTATUSCODES