Why we disable SMTP
Why we Disable SMTP for our clients and why you should disable SMTP for your business.
First a History lesson – How old is SMTP
SMTP stands for “Simple Mail Transfer Protocol” and first appeared in 1982. The purposes of this was to send electronic mail over the internet (email). Little has changed to this protocol since it’s release various layers have been added ontop to make the transaction of email via SMTP more secure buy introducing TLS/SSL which is a separate protocol for transferring secure information over the internet point to point.
So why is it a risk?
Online threats continue to develop and security is the buzz word of the day. Many security frameworks have been created to help business manage and identify risk.
SMTP main risk is related to its authentication! SMTP does not support modern authentication methods such as 2FA/MFA. this means it is only providing authentication via Username and Password.
If a user is fooled into providing a Username and Password and Pop3 and SMTP is enabled a hacker can start sending emails as the user without being challenged by 2FA/MFA. Essentially by-passing more modern security process.
Some platforms allow you to make unique username and passwords that are locked to each application e.g. Outlook. This does offer a little more protection but it is very hard for companies to track what applications have access. Posing its own security risks!
The best course of action is disable SMTP!!!!
Don’t I need SMTP?
If you are using a free ISP or hosting email platform then probably. If you are using a modern platform like Office 365 then no. SMTP is not used nor are traditional inbound email protocols like Pop3 and IMAP.
I want my website/newsletter platform to email as my company. I have been told this can only be done via SMTP.
You have been told incorrectly. Most hosting companies block outbound SMTP to stop spammers using their platforms to send email. There are also limitations in corporate email systems like the number of people you and send to in one email. That make this approach less favorable.
There are two ways to resolve this. Send directly from the website but update your SPF record on your DNS to say email sent from this website is allowed.
The other way is to use a system specifically designed for this such as mailjet.com or sendgrid.com (there are many others). The use of these systems will also require changes to your DNS.
Mear Technology are available to guide and provide advice. Get in touch and see how we can help