When setting up the WPForms WP Mail SMTP plugin, I got this choice:
Encryption: ( ) None ( ) SSL ( ) TLS
For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we recommend using TLS.
What do those options mean? Do they mean (like in normal conversation):
- SSL = SSLv3
- TLS = at least TLS 1.0
or do they mean (like in Outlook and some other mail clients):
- SSL = TLS
- TLS = STARTTLS
I was assuming the latter, because that is really common with mail stuff.
But if that is the case, why would the plugin recommend to prefer “TLS” (STARTTLS, which is insecure) to “SSL” (TLS, which is safe)?
1 Answer
WP Mail is just a wrapper for configuring WordPress’s PHPMailer (wp-includes/class-phpmailer.php). PHPMailer’s documentation says:
Encryption flavours
There are two “flavours” of transport encryption available for email:
- “SMTPS”, also referred to as “implicit” because it assumes that you’re going to be using encryption right from the start of the connection. In PHPMailer this mode is selected by setting SMTPSecure=”ssl”, and usually requires Port = 465.
- “SMTP+STARTTLS”, also referred to as “explicit” because it initially connects insecurely then explicitly asks for the connection to start using encryption. In PHPMailer this mode is selected by setting SMTPSecure=”tls”, and usually requires Port = 587 (defined in RFC6409), though it can work on any port.
So yes it looks like TLS = STARTTLS.
The security issue with STARTTLS is if the client silently connects in the clear if TLS isn’t available. At first glance PHPMailer does not do this:
if ($tls) {
if (!$this->smtp->startTLS()) {
throw new Exception($this->lang('connect_host'));
}
If you choose encryption=TLS then the $tls flag is set independently of the server reporting STARTTLS, so I think it is secure. ‘TLS if available’ is $SMTPAutoTLS, which defaults to on.
