即使没有在同一台计算机上使用不带SSL / TLS的SMTP发送电子邮件也不安全吗?
[英]Is Sending Email using SMTP without SSL/TLS insecure even if its in the same computer?
问题描述
I'm writing a rails application where I have to send emails (for password reset/ contact form etc..). 
我正在编写一个Rails应用程序,我必须在其中发送电子邮件(用于密码重置/联系方式等)。 And I can get the email to work without SSL/TLS but with SSL/TLS it always results in a timeout. 而且我可以使电子邮件在没有SSL / TLS的情况下正常工作,但有了SSL / TLS,它总是会导致超时。
The question I have is how insecure is it to not use SSL/TLS? 我的问题是不使用SSL / TLS有多不安全? Is not using SSL/TLS not a problem if my rails application and the mail server are located in the same machine? 如果我的Rails应用程序和邮件服务器位于同一台计算机上,则不使用SSL / TLS不会成为问题吗? Does not using SSL/TLS mean that only the communication between my rails app and the mail server is not secure but the communication between the mail server and recipient will still be secure? 不使用SSL / TLS意味着仅我的Rails应用程序与邮件服务器之间的通信不安全,而邮件服务器与收件人之间的通信仍然安全吗?
For your information, following is my rail mail configuration. 供您参考,以下是我的铁路邮件配置。 Do you see anything wrong with that? 你有什么不对吗?
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
address: 'secure.mailserver.com',
port: 465,
user_name: 'no-reply@mydomain.org',
password: 'password',
enable_starttls_auto: true,
authentication: "plain"
}
1 个解决方案
解决方案1
1 2014-05-21 02:11:21
Is not using SSL/TLS not a problem if my rails application and the mail server are located in the same machine?
There's very little point in using SSL/TLS from localhost to localhost in general. 通常,从localhost到localhost使用SSL / TLS几乎没有意义。
Does not using SSL/TLS mean that only the communication between my rails app and the mail server is not secure but the communication between the mail server and recipient will still be secure?
The communication between your mail server (the MSA ) and the recipient can't be assume to be secure (MSAs and MTAs generally don't use SSL/TLS between them, or at least you can never make this assumption). 不能假定您的邮件服务器( MSA )和收件人之间的通信是安全的(MSA和MTA通常在它们之间不使用SSL / TLS,或者至少您永远不能做出此假设)。
If you want e-mail security up to the recipient, use message-level encryption (eg S/MIME). 如果要将电子邮件安全性提高到收件人,请使用消息级加密(例如S / MIME)。
The SSL/TLS encryption between the Mail User Agent (your Rails app, or Thunderbird, ...) and your MSA (the server it connects to) is generally useful when you need to provide a password to authenticate to that server. 当您需要提供密码以验证该服务器时,邮件用户代理(您的Rails应用程序,或Thunderbird,...)和您的MSA(它连接到的服务器)之间的SSL / TLS加密通常非常有用。 It's also useful for the general transport-level security, at least against potential attackers located between your user agent and the server (eg if you're on a public network). 它对于一般的传输级安全性也很有用,至少针对位于用户代理和服务器之间的潜在攻击者(例如,如果您位于公共网络上)。
In your configuration, you're using port 465 and STARTTLS. 在您的配置中,您使用的是端口465和STARTTLS。 Generally, port 465 is for SMTPS (SMTP over SSL/TLS, where the SSL/TLS channel is established first), whereas port 587 is used for SMTP+STARTTLS (where there's some plain SMTP traffic before an upgrade to SSL/TLS via STARTTLS ). 通常,端口465用于SMTPS(首先建立SSL / TLS通道的SMTP over SSL / TLS),而端口587用于SMTP + STARTTLS(在通过STARTTLS升级到SSL / TLS之前存在一些普通SMTP流量) )。 (More details here .) (更多详细信息在这里 。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.