Is server to server email transmission secure?

Question

We are running a website with a web to email form. We force https to secure the transmission from the browser to the web server. From the web server we use PHP to generate an email message containing the information received. The destination email server is in another location. I am wondering if the transmission of the email from the web server to the destination email server is secure.

So I have several related questions:

A) Is the transmission of emails from the sender server to the recipient server secured by default? (To be clear, this is NOT a question about the connection from an email client to an SMTP server)

B) if the transmission is not secured by default, how can I check if messages are being transmitted securely?

C) if transmission is currently not secured, how can I request/force a secure connection?

We are using the default PHP mail function (via a Joomla extension)

Thank you!

Answer 1

A) initially, a server-to-server smtp connection is always in plain text on port 25. if both source and target server support the TLS extension then usually the plain connection gets converted into a encrypted connection with the STARTTLS command

B) To check if a mail was transmitted over an encrypted connection, read the "Received"-Headers in the resulting message after it was transmitted.

They look like this:

Received: from X.example.com (X.example.com [y.y.y.y])
    by z.example.net (Postfix) with ESMTPS id ......

The important part is the ESMTPS bit. The last S means "SECURED". If it just says "ESMTP" or "SMTP" instead of "ESMTPS" the transmission was not encrypted.

C) if the target server does not support TLS there is nothing you can do except some sort of end-to-end encryption like PGP (as suggested by Álvaro G. Vicario). Some servers (like postfix) provide configuration options to prevent messages from going out at all if the target can not do TLS.

you can test manually with telnet if a server supports STARTTLS:

telnet gmail-smtp-in.l.google.com 25
Trying 173.194.70.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP 4si1878861eee.197 - gsmtp
EHLO mail.example.com              <--- you have to type that
250-mx.google.com at your service
250-SIZE 35882577
250-8BITMIME
250-STARTTLS                       <----- GMAIL supports TLS
250 ENHANCEDSTATUSCODES  

        

Answer 2

In fact, I think it is a question about connection from an e-mail client to SMTP server after all. When source server connects to destination server to deliver a message it becomes a client. It uses the SMTP protocol just like your desktop e-mail program. There's a very important difference, though:

• When you use a regular e-mail client you normally use the same trusted provider that can (and should) offer certain security measures, including authentication and encryption.

• When a mail server connects to a third-party server, it connects anonymously and it needs to establish an unencrypted connection to port 25. They don't have a prior agreement to do things otherwise.

Given that the channel is in clear, server-to-server communication is not secure unless the message itself is encrypted (PGP or whatever). You can think of e-mail messages like snail mail post-cards.

(For this reason, those sites that e-mail your password in clear when you sign up are doing it wrong.)

Answer 3

With due respect to the very good answers so far, in Joomla! the SMTP mail function is handled by JMail which extends from the PHPMailer class. When setting up Joomla! you have three different options:

1. PHP Mail - uses PHP mail() settings via PHPMailer.
2. Sendmail - uses sendmail via PHPMailer...
3. SMTP - uses PHPMailer class

The PHPMailer class supports both tls and ssl in it's SMTP connection negotiation.

Of course, this is dependent on you setting it up your in Global Configuration->Server. In the pane titled Mail Settings you can turn on SMTP Security (SSL|TLS) and provide your Username and Password. These details are required to authenticate with your SMTP server.