2

I've installed sSMTP on Ubuntu 10.04 via:

sudo apt-get install ssmtp

My configuration file is:

 # # Config file for sSMTP sendmail # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. [email protected] # The place where the mail goes. The actual machine name is required no # MX records are consulted. Commonly mailhosts are named mail.domain.com mailhub=smtp.gmail.com:587 # Where will the mail seem to come from? #rewriteDomain= # The full hostname hostname=somedomain.com # Are users allowed to set their own From: address? # YES - Allow the user to specify their own From: address # NO - Use the system generated From: address #FromLineOverride=YES [email protected] authpass=**** usestarttls=yes

Am I transmitting my credentials in clear text? Is calling ssmtp a secure operation?

Thanks.

Improve this question

2 Answers 2

Reset to default
3

Mail submission to smtp.gmail.com:587 will fail if STARTTLS is not issued:

[palantir]-[/var/tmp]-[528] % nc smtp.gmail.com 587 [2:16] 220 mx.google.com ESMTP b3sm14232728ibf.7 EHLO domain.com 250-mx.google.com at your service, [67.167.112.165] 250-SIZE 35651584 250-8BITMIME 250-STARTTLS 250 ENHANCEDSTATUSCODES MAIL 530 5.7.0 Must issue a STARTTLS command first. b3sm14232728ibf.7 STARTTLS 220 2.0.0 Ready to start TLS

For this use case, your credentials must be transmitted over TLS to be transmitted at all, so they are not being sent in the clear. Note however that while this is common behavior, this is not the required behavior -- it is quite possible that a server doesn't require TLS on the submission port, and also possible to similarly misconfigure your client.

As joschi mentioned, you can make sure it is encrypted with any tool that can capture packets off the wire, and I'd like to add tcpflow as a suggestion as well for that.

Improve this answer
2
  • Would you say this is the best option for sending emails through a web site via something like PHP? As opposed to setting up a mail server. I'm just looking for something simple, with minimum security risk. Commented Jun 15, 2010 at 3:06
  • Sure, that will work. If you choose to send directly through your code / own mailserver at some point, see codinghorror.com/blog/2010/04/… as well. Commented Jun 16, 2010 at 21:31
2

Besides setting UseStartTLS you should also set UseTLS to yes. See ssmtp.conf(5).

You could also check whether ssmtp is using an encrypted connection by sniffing the traffic with wireshark or tcpdump.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.