3

I'm trying to work out how to make my outgoing/incoming email's as secure as I can possibly make them.

First of all, my domain has Wildcard OV SSL Certificates, I have copies of the .csr, .crt and .key files but I don't have any PKCS12 files of .p12 or .pfx, is it possible to get these from my SSL certificate so I can digitally sign outgoing emails via email clients like outlook, thunderbird... etc

Secondly, what is currently the "safest" / "best" security settings that I can and should use for my email client(s), below is all of the available options.

Incoming Options

Connection Security:

  • None
  • STARTTLS
  • SSL/TLS (Currently using via port 993)

Authentication Method:

  • Normal Password (Currently using via port 993)
  • Encrypted Password
  • Kerberos / GSSAPI
  • NTLM
  • TLS Certificate
  • OAuth2

Outgoing Options

Connection Security:

  • None
  • STARTTLS
  • SSL/TLS (Currently using via port 465)

Authentication Method:

  • No authentication (Not available)
  • Normal Password (Currently using via port 465)
  • Encrypted Password (Not available)
  • Kerberos / GSSAPI (Not available)
  • NTLM (Not available)
  • OAuth2 (Not available)

Last but not least, the same goes for PHPMailer, should I be using TLS or SSL (what ones better?)

$phpmailer->SMTPSecure = "tls"; // Choose SSL or TLS, if necessary for your server
Ryflex
  • 139
  • 1
  • 11

2 Answers2

3

Try this on how to create p12.

openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Your Name" -out cert.p12

The following are already "safe" and practical for a company to deploy.

  • Incoming Port: POP3 995 or IMAP 993 (SSL/TLS)

    SMTP Authentication Required

  • Outgoing Mail server (SMTP) Port: 465 (SSL/TLS)

    SMTP Authentication Required

Lastly, use TLS whenever you can. TLS performs better and there are security issues with some SSL protocols.

jarvis
  • 2,006
  • 4
  • 18
  • 31
  • I tried the openssl command you said and it asked me for an export password, I added them and it returns `unable to write 'random state'` – Ryflex May 10 '16 at 10:00
1

Inbound options do not apply to PHPMailer. SSL on port 465 (SMTPS) has been deprecated since 1998, though Microsoft didn't seem to notice. Use SMTP+STARTTLS on port 587 instead, which is what PHPMailer does when you use SMTPSecure = 'tls' & Port = 587. Note that PHPMailer does opportunistic TLS, in that if you don't tell it to use TLS and you connect to a server that supports it, it will use it automatically.

Recent PHPMailer 5.2 versions support XOAUTH2 authentication for gmail, and 6.0 adds support for many other providers.

If you're using PHP older than 5.6, you should enable certificate verification (PHP 5.6+ does it by default).

Synchro
  • 3,148
  • 6
  • 27
  • 38