CODEWITHSUNDEEP
phpimap
Terradon
Terradon

Reputation: 858

How to secure imap_open connection

i use imap_open() to establish a connection with my mailserver for checking bounced emails.

$pop3conn  = imap_open('{localhost:110/pop3}', MAILLOGIN, MAILPWD);

if($pop3conn == false)
echo'<br />no conn';
else
{
    // check mail headers and bodies
}

I get a PHP Notice about insecure authentication:

Notice: Unknown: SECURITY PROBLEM: insecure server advertised AUTH=PLAIN (errflg=1) in Unknown on line 0

I have searched on php.net and googled for hours, but can't find a solution how to get rid of this.

the only thing i found did also not work: adding /secure to the servername.

$pop3conn  = imap_open('{localhost:110/pop3/secure}', MAILLOGIN, MAILPWD);

then i get:

Notice: Unknown: Can't do secure authentication with this server (errflg=2) in Unknown on line 0

Thanks in advance for any help!

Upvotes: 2

Views: 10539

Answers (3)

ino
ino

Reputation: 2591

The question is few year old but I came across with the same issue: 

imap_open("{imap.domain.com:143}INBOX", 'username', 'password');

gaves me error SECURITY PROBLEM: insecure server advertised AUTH=PLAIN.

So, it says I am sending the credentials unsecured. All I had to do is to go to my mail provider to find out any other way how to connect securely.

Standard ports are:

Protocol      Unsecured      Secured
POP3          110            995 (SSL, TLS)
IMAP4         143            993 (SSL, TLS)
SMTP          25             465 (SSL), 587 (TLS, STARTTLS)

And according to the documentation of PHP function imap_open() I have modified the parameters as followed:

imap_open("{imap.domain.com:993/imap/ssl}INBOX", 'username', 'password');

So now I have the communication encrypted/secured and PHP does not report errors any more.

Upvotes: 1

Thierry Daguin
Thierry Daguin

Reputation: 885

It's not really a bogus message, it just means that it's a plaintext unencrypted connection. Here is how you can do :

$error = imap_errors();
if (count($error) > 1 || $error[0] != 'SECURITY PROBLEM: insecure server advertised AUTH=PLAIN') {
  // More than 1 error or not the expected error
  var_dump($error);
  throw new Exception('IMAP error detected');
}

Upvotes: 2

DaveRandom
DaveRandom

Reputation: 88677

I am a little surprised this is giving you in Unknown on line 0 as this normally only happens when the error occurs before the script begins to execute - however, the only real solution to this problem is to hide PHP errors.

It looks as though the server you are connecting to doesn't support secure authentication, and the only solution to this is to ask the server administrator to support it. Or to use a different server. There is nothing you can do in your code to work around that particular problem, so you will just have to handle the error instead of trying to fix it (much as I hate to recommend that approach to anyone for anything).

You may find that even calling ini_set('display_errors', 0) or using the evil @ operator won't fix this, since it is in Unknown on line 0 - although you shouldn't be showing PHP errors in a production environment anyway. You should ensure that your php.ini in production is set to hide errors from the user.

Upvotes: 1

Related Questions