Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does System.Net.Mail.SmtpClient use SSL, TLS, StartTLS, or a combination?

This question has answers about negotiating the best version of TLS/SSL available with the server: Which versions of SSL/TLS does System.Net.WebRequest support?

However I thought SmtpClient used regular Smtp for transport, with TLS on top - which as I understand it is StartTLS.

I am documenting some software (a box ticking exercise) and need to state which protocols are used, and security protocols are really not my area of expertise so how can I explain this well?

like image 659
Mr. Boy Avatar asked Apr 20 '16 10:04

Mr. Boy


People also ask

What versions of TLS can System Net Mail SmtpClient use?

By default most systems allow SSL 3.0, TLS 1.0, 1.2 and 1.2 to be used, when connecting using SMTP client. smtp.

Should I use SSL TLS or STARTTLS?

While STARTTLS has TLS in its name, it's not necessary to use TLS; users can choose SSL instead. The difference between SSL/TLS and STARTTLS is the latter is not a protocol but a command issued between an email program and a server. STARTTLS notifies a mail server that the contents of an email need to be encrypted.

What is Net Mail SmtpClient?

This class allows you to attach files, streams, or text to an email message. MailAddress. Represents the email address of the sender and recipients. MailMessage. Represents an email message.

Should I use SSL or TLS for email?

TLS is the preferred encryption method because it's newer and offers more robust security features than SSL does. It's also a good idea to combine TLS-based email encryption with email authentication to ensure the integrity of email messages.


1 Answers

According to the documentation it can only do explicit TLS (i.e. STARTTLS) and not implicit TLS (SMTPS):

The SmtpClient class only supports the SMTP Service Extension for Secure SMTP over Transport Layer Security as defined in RFC 3207. In this mode, the SMTP session begins on an unencrypted channel, then a STARTTLS command is issued by the client to the server to switch to secure communication using SSL. See RFC 3207 published by the Internet Engineering Task Force (IETF) for more information.

like image 92
Steffen Ullrich Avatar answered Sep 16 '22 14:09

Steffen Ullrich