Encrypting emails that are sent from local email server on OJS3

alirezaaa · July 4, 2020, 4:59pm

Hello,

Is there an option to encrypt email that are sent from OJS3? We do not use a SMTP server and emails are sent from PHP mail() function.

Cheers,
Ali

juanito · July 5, 2020, 3:33am

hello @alirezaaa

Emails have a bit layer encryption with SSL.

SMTP server SSL → SMTP server SSL.

Do you have installed a SMTP server in your server?

alirezaaa · July 5, 2020, 5:37am

Hello @juanito,

I don’t think we have SMTP sever installed because the below line is commented in the config file.
; smtp = On

But we have no problem sending emails from the server.

juanito · July 11, 2020, 9:56pm

Hi @alirezaaa .

OJS uses, by default, localhost smtp server.

You have on your infrastructure a localhost SMTP server, installed.

Thanks.

alirezaaa · July 12, 2020, 4:55am

Hi @juanito

Yes and we have SSL certificate on our server too. But I think OJS3 currently does not support encoding emails from the local email server.

I hope some one from OJS core could confirm this and guide on how to implement it.

Cheers.

alirezaaa · July 20, 2020, 9:07am

Hello @ctgraham,

Do you have any ideas about this topic:

Best,
Ali

ctgraham · July 20, 2020, 1:53pm

This will depend on what is intended by “encrypting email”. Email can be encrypted in content, or in transit.

To encrypt the email content involves either signing the content (validating the sender), or actually encrypting the content (limiting decryption to select recipients). To do that requires the use of a tool such as PGP. This could be integrated into OJS if a plugin were to be written.

To encrypt the transit of the email involves enabling SSL on the SMTP transmission of the message. Note that you only have control of the first hop in the network; after that, it is dependent on every intermediary route in the network to voluntarily encrypt the transmission. This is why email is inherently insecure. OJS supports SSL with SMTP. Using the native PHP mailer function will rely on PHP’s settings (and probably your local server settings), where SSL can be enabled or disabled for the first hop in the transmission.

What kind of encryption is of interest here?

alirezaaa · July 22, 2020, 9:06am

Hello @ctgraham,

You can see the problem in attached screenshot. It says that local mail server did not encrypt the email and this is a security risk.

ojs

I guess this regards the transit of the emails. PHPMailer() supports SSL. But I am not sure how to set the parameters in the send() function (file classes/mail/Mail.inc.php). Our server has openSSL and the required certificates.

Is this the correct way to handle this issue?

Regards,
Ali

ctgraham · July 22, 2020, 1:05pm

For SMTP connections, the security configuration is in config.inc.php:

github.com

pkp/ojs/blob/966f98805cfcab720d4b62df01320ff5e7e6277f/config.TEMPLATE.inc.php#L310-L318


; SMTP server settings
; smtp_server = mail.example.com
; smtp_port = 25

; Enable SMTP authentication
; Supported mechanisms: ssl, tls
; smtp_auth = ssl
; smtp_username = username
; smtp_password = password

You may be able to use SMTP to connect to your local host, if your server has port 25, 465, or 587 open locally.

If you are using the PHP mail() function (SMTP off), then this is configured either in your PHP settings, or on the local mailserver itself (postfix, sendmail, etc).

Ask your system administrator or hosting provider for assistance in selecting the best mailer option and settings for your server.