Jump to content

Can I use SSL over port 25?


DeX

Recommended Posts

I'm not sure if this is the correct area for this question and it's not really code related but I wasn't sure which forum website was best to ask this.

 

One of my clients is doing a huge switch of their entire point of sale (POS) system and they're paying some company in the states a huge amount of money to provide the system and do the switch. We're configuring the desktop application to be able to automatically send out customer invoices or receipts and it needs email credentials in order to authenticate to some SMTP server of our choice.

 

I set it up on the dummy Gmail account that I use for all of the printers in the building but for reasons unknown to me this application is for some reason failing to send email over port 465 through the Gmail SMTP server. I've already made all the necessary changes in the Gmail web portal to allow external applications to access email and the printers can access it without issue. However when I switch this application to port 25 it works so I have a few questions regarding this:

 

1. Is it safe to continue allowing a POS to send customer receipts over port 25? Can we be sued for breaking some sort of privacy law?

 

2. Next to the port setting in the POS application there is a checkbox to use SSL. It allows us to check this, independent of the port selected. Is it possible to use SSL over port 25?

Link to comment
Share on other sites

SMTPS on port 465 was deprecated back in the 90s (the port is now reserved for a completely different service). The standard way for mail submission over TLS is to start a plaintext connection on port 587 and then upgrade the protocol with the STARTTLS command. Port 25 is actually reserved for server-to-server communication, but some systems may still accept e-mail submission for legacy reasons.

 

In any case, you have to make sure that the connection is in fact encrypted (check both the configuration and the traffic). As I already said, the client has to request the protocol update. If that doesn't happen, everything is plaintext, even when the server does support TLS.

Link to comment
Share on other sites

SMTPS on port 465 was deprecated back in the 90s (the port is now reserved for a completely different service). The standard way for mail submission over TLS is to start a plaintext connection on port 587 and then upgrade the protocol with the STARTTLS command. Port 25 is actually reserved for server-to-server communication, but some systems may still accept e-mail submission for legacy reasons.

 

In any case, you have to make sure that the connection is in fact encrypted (check both the configuration and the traffic). As I already said, the client has to request the protocol update. If that doesn't happen, everything is plaintext, even when the server does support TLS.

 

This seems a little out of my league but I'm going to attempt to break it down.

 

1. I'm using the Gmail SMTP server to send the email so is it possible to even send encrypted mail over port 25 with them?

 

2. Does the SSL get initiated by the client program initiating the email (our POS) or is the SSL controlled by the email server (Gmail)? I'm basically wondering if this program has the ability to force SSL and Gmail just accepts it, or does the program queue up the email and Gmail decides whether it is encrypted based on the port used?

 

3. In order to check if it's encrypted you mentioned checking the configuration and traffic. I'm not quite sure how to check this, can I see the outgoing data somehow?

 

4. If I use port 587 will Gmail automatically encrypt it or do I trust our client software will do the encryption? 

 

I'm a software guy, not too much of an expert on email servers and transfer protocols. Thanks a lot.

Link to comment
Share on other sites

Unless you use port 465 (SMTPS) then you need to determine whether your application supports STARTTLS or not as that's what is needed to enable encryption on the other ports.

 

In general it's up to your SMTP client to request that encryption be enabled by issuing a STARTTLS command. Only SMTPS provided encryption from the get-go and as mentioned that has been deprecated (though still supported in places).

 

Regarding your initial concerns for privacy, keep in mind that even if you can get SSL working for delivering email to the GMAIL servers it may be transmitted to it's final destination over a plain-text channel. If the final address is somewhere other than google then the message will need to be forwarded and not all servers support encrypted server-to-server communication so the message would then be sent in plain text. Google tracks some statistics about this if you're interested.

Edited by kicken
Link to comment
Share on other sites

I'm ready to start looking into this but I did change something so I'm wondering if I even need to look into anything. We switched it to use port 587 in the client application. Is this sufficient or do I still need to ensure it's actually getting encrypted? And just to make sure I have everything explained, it's using Gmail's SMTP server to send the mail over port 587.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.