Using SSL/TLS when sending an email from PHP
I am very new to email servers and sending email with PHP...
Is it possible to have email sent from a PHP script on my server encrypted using SSL or TLS before it is sent to the recipient's mail server?
I need to ensure only the intended recipient can read the email, in case the transmission is intercepted on its journey to their mail server.
I am not sure if this is possible, as the recipient's mail server would not know the public key right? So how could it decrypt the email?
As b开发者_开发问答ackground, I am not actually hosting email accounts for anyone - so it is not a case of the users authenticating with my server and downloading emails for them hosted there. I just have a script triggering an alert email to be sent from "notifications@danbaylis.com" (which is not a real email address on the server so you can't reply to it) to the user's real email address (which my application knows). I need a way to make sure this email is securely sent from PHP on my server, to the recipients mail server.
I have looked at the mail() function in PHP, as well as the PHPMailer class - but I am not sure how I would configure either of these methods to securely send the email.
All my research just shows how to install SSL in on my server so users can securely download email stored on my server - which is not what I am trying to do here.
I am running Centos5.7 which I believe has a mail server installed, though I am not sure if PHP actually uses that by default..
Thanks for any help!
You can't guarantee that an email will be delivered to the recipient's mailbox. The ONLY place you is the connection between your mail client, and your outgoing SMTP server. After that, it's utterly out of your hands.
If you need to guarantee privacy on the email, you'll have to encrypt the body of the email. What you want is an S/MIME or PGP message. Not that this still leaves SOME information publicly available - the mail body will be encrypted, but addressing information will necessarily still be readable - intermediate mail servers still need to know how to deliver the mail
The type of encryption you are looking for is not SSL/TSL, which is used to encrypt transmission between the client (PHP) and the SMTP server which will send it on. SSL/TLS makes no guarantee that the data will be encrypted all the way to its endpoint. In fact, it almost certainly won't be as the data is relayed between SMTP servers and switches along the way.
Instead you are looking for PGP encryption, which can be implemented in PHP using the GnuPG functions. You must encrypt the message using your recipient's public key. It can then only be decrypted and read with the recipient's private key, held by the recipient alone.
To implement this in mail()
, you would first encrypt the message body, then pass the encrypted, ascii armored block to mail()
as its third parameter. Message headers will not be encrypted, only the body.
Addendum
The way secure message transmission is handled by most banks and medical services (in the US, anyway) is not to send email at all. Instead, messages which must be kept secure are stored in a user's "inbox" with the website. The user must login (over SSL) to the website to read messages in the secure inbox. Email is only sent to notify the user that new messages are waiting.
精彩评论