0
I have an application (written in PHP) which sends email using SMTP and runs on the same system as the email server. Are there any security concerns about using port 25 on localhost rather than port 587 on the server's external IP with TLS?
Thanks
Keith M
Posted 2014-06-27T13:37:52.983
Reputation: 1
0
My guess here, with a strictly localhost connection, is that you'd need root access to peek at any data flowing back and forth to the server. At that point a malicious user could find the data using many other means.
If true, I think you're fine with the "listen only on localhost" connection.
That said, bear in mind that these things tend to expand, and soon you may want to check mail from afar. Then you'd want TLS. You can revisit it then, or bite the bullet now.
Rich Homolka
Posted 2014-06-27T13:37:52.983
Reputation: 27 121
This application only sends, and no change is expected in that behavior. Not being an email expert, the thing I'm not clear about is what happens when the email is relayed from localhost to the destination mail server. Does that only get encrypted if my application makes a TLS connection? – Keith M – 2014-06-27T16:28:11.347
a port is a port. There is no difference between port 25 instead of port 587. – Ramhound – 2014-06-27T13:40:06.663
There is a difference, because the mail server will not accept TLS on port 25. – Keith M – 2014-06-27T17:26:02.227
That sounds like an server application limitation and/or a configuration problem. I was speaking from a pure technical perspective. – Ramhound – 2014-06-27T22:35:37.350
I know what you mean, but a port is just an advertised connection to a server, so its behavior is defined by that server. That's not really an application limitation and/or configuration problem. – Keith M – 2014-06-29T05:45:29.547