Your question should be specific to WordPress. Generic PHP/JS/SQL/HTML/CSS questions might be better asked at Stack Overflow or another appropriate Stack Exchange network site. Third-party plugins and themes are off-topic for this site; they are better asked about at their developers' support routes.
Closed 5 years ago.
Improve this questionWhen setting up the WPForms WP Mail SMTP plugin, I got this choice:
Encryption: ( ) None ( ) SSL ( ) TLS
For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we recommend using TLS.
What do those options mean? Do they mean (like in normal conversation):
- SSL = SSLv3
- TLS = at least TLS 1.0
or do they mean (like in Outlook and some other mail clients):
- SSL = TLS
- TLS = STARTTLS
I was assuming the latter, because that is really common with mail stuff.
But if that is the case, why would the plugin recommend to prefer "TLS" (STARTTLS, which is insecure) to "SSL" (TLS, which is safe)?
Closed. This question is off-topic. It is not currently accepting answers.Your question should be specific to WordPress. Generic PHP/JS/SQL/HTML/CSS questions might be better asked at Stack Overflow or another appropriate Stack Exchange network site. Third-party plugins and themes are off-topic for this site; they are better asked about at their developers' support routes.
Closed 5 years ago.
Improve this questionWhen setting up the WPForms WP Mail SMTP plugin, I got this choice:
Encryption: ( ) None ( ) SSL ( ) TLS
For most servers TLS is the recommended option. If your SMTP provider offers both SSL and TLS options, we recommend using TLS.
What do those options mean? Do they mean (like in normal conversation):
- SSL = SSLv3
- TLS = at least TLS 1.0
or do they mean (like in Outlook and some other mail clients):
- SSL = TLS
- TLS = STARTTLS
I was assuming the latter, because that is really common with mail stuff.
But if that is the case, why would the plugin recommend to prefer "TLS" (STARTTLS, which is insecure) to "SSL" (TLS, which is safe)?
Share Improve this question asked Sep 22, 2019 at 6:13 AndreKRAndreKR 1331 silver badge4 bronze badges 2- 1 To know more about the options of a plugin, you'd better contact its author directly, rather than posting it on a general forum like WPSE. – cjbj Commented Sep 22, 2019 at 11:06
- 1 Hey close voters: I know the config UI we're talking about is from a plugin, but these config options are the exact same names used by wp-includes/class-phpmailer.php. Which is in WordPress core. – Rup Commented Sep 24, 2019 at 11:35
1 Answer
Reset to default 2WP Mail is just a wrapper for configuring WordPress's PHPMailer (wp-includes/class-phpmailer.php). PHPMailer's documentation says:
Encryption flavours
There are two "flavours" of transport encryption available for email:
- "SMTPS", also referred to as "implicit" because it assumes that you're going to be using encryption right from the start of the connection. In PHPMailer this mode is selected by setting SMTPSecure = 'ssl', and usually requires Port = 465.
- "SMTP+STARTTLS", also referred to as "explicit" because it initially connects insecurely then explicitly asks for the connection to start using encryption. In PHPMailer this mode is selected by setting SMTPSecure = 'tls', and usually requires Port = 587 (defined in RFC6409), though it can work on any port.
So yes it looks like TLS = STARTTLS.
The security issue with STARTTLS is if the client silently connects in the clear if TLS isn't available. At first glance PHPMailer does not do this:
if ($tls) {
if (!$this->smtp->startTLS()) {
throw new Exception($this->lang('connect_host'));
}
If you choose encryption=TLS then the $tls flag is set independently of the server reporting STARTTLS, so I think it is secure. 'TLS if available' is $SMTPAutoTLS, which defaults to on.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745138109a4613300.html
评论列表(0条)