How do I send secure emails from PHP?

[johnsmith153]

very simple question (if you know how).

 

I want to send emails with PHP that contain passwords etc.

 

The site DOES have https/SSL.

 

I do know how to send normal emails from PHP.

 

Somebody has said "authenticate to your SMTP server" but I haven't a clue what this means.

[WolfRage]

Youcan use the Xpertmailer system. http://www.xpertmailer.com/

But really you should know that email if not encryted, really is not safe. It may be safe from your server to the SMTP provider, but once they send it out to other mail servers, it is almost always transfered using normal unsecured SMTP delivery methods. Which means it is wide open to any one screening the data. So I would suggest using encryption on the emails and just going that route.

[npsari]

Actually, i never thought of sending emails in a Secure Way

 

I simply use the normal PHP send email function

 

<?php

$Subject="This was sent using PHP";
$Sender="YOUR EMAIL";
$Send_to="RECEIVER EMAIL";
$Message="Lets hope this message arrives, I got this from Zortin";


if(mail($Send_to, $Subject, $Message, "From: $Sender")){
print"<br><br><FONT style=\"font-size:26px\" color=\"#009300\" face=\"Arial\"><B>Sent to: $SendTo  ... Sender: $Sender</B></FONT>";
}else{
print"<br><br><FONT style=\"font-size:26px\" color=\"#FF0000\" face=\"Arial\"><B>Did not send to: $SendTo  ... Sender: $Sender</B></FONT>";
}

?>

 

I dont think this is not Secure, How can it be Secure, I am not sure i get it

[php.ajax.coder]

Google 'PHPmailer'

 

you can use SSL

[WolfRage]

Both of you are missing a critical point though the email will never truly be secured unless encryption is used. Encryption is the only means for send sensitive data over a insecure channel in a secure fashion.

[PFMaBiSmAd]

Edit: basically says the same as above ^^^

 

Assuming that the mail server that php is sending through supports a SSL connection, using a SSL connection between the php script and that mail server only secures the email for that part of the journey. After that, like WolfRage already stated, it is then sent to the final mail system as plain text.

[johnsmith153]

I now understand I MUST encrypt messages. Using SSL is pretty useless then.

 

Just to clarify, Wolfgang, are you saying that the Xpertmailer system. http://www.xpertmailer.com/ will encrypt emails? (or do you just recommend this for SSL but I still need to encrypt some way) If it won't encrypt emails, how would I encrypt my emails? (are you just saying encrypt the body/subject text in PHP and send that - ie I could just send using PHP mail() command with the body text encrypted?)

 

Would encrypting emails then need an encryption key to be used when, for example, they view their email in MS Outlook - or would it just be seen normally?

 

If the solution to this is to encrypt an email manually and decrypt manually (not good for a user) - then how would the big sites send out emails with passwords - or even just links to 'change your password' (I am sure Facebook would do this for example.)? Surely there is always a hacker trying to sniff out an email from these big sites.

 

[WolfRage]

Xpertmailer will not encrypt the emails for you but it can handle all of your ssl needs.

To use encryption like PGP this link should help. http://us2.php.net/gnupg

Originally I thought you wanted to send a sensitive email to a known recipeint, which would have allowed for you to arrange for some encryption.

If you are just sending emails to people that have lost their password, I would send them a email with a link to a ssl secured web page that would request a different piece of verification and if they are correct then expose their password to them.

There are numerous ways that you can go about that but each will have it's own weaknesses and the stronger the method the less convenient it will be for the user.