SSL vs TLS vs STARTTLS for SMTP Mail Servers

Discussion in 'Mail Server Support' started by popowich, Sep 10, 2013.

  1. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    The following was prompted by a conversation about SSL vs TLS vs STARTTLS for SMTP servers.


    Which is more secure, SSL or TLS?

    TLS is newer than SSL.

    The latest versions of TLS are more secure than SSL.


    Do I want to enable the biggest version numbers?

    Not necessarily, the TLS version numbers are lower than the SSL version numbers.

    The SSL implementations before v3 have vulnerabilities and should be disabled, and even v3 has some vulnerabilities that need to be addressed.

    For TLS, as of this posting, you still want to enable any version of TLS 1.x that you can support.


    What's the difference between SSL & TLS and STARTTLS?

    SSL and TLS connections are always encrypted.

    The STARTTLS option gives a mail program or sending server the option to turn an unencrypted connection into an encrypted connection.


    Which version of SSL/TLS and STARTTLS gets used if multiple versions are available?

    The mail server and mail program will negotiate which protocol to use


    What port number should I configure for SSL/TLS encrypted mail traffic?

    SSL/TLS encrypted SMTP is usually configured on port 465


    Are there requirements for what gets configured on each mail port?

    There are no requirements. Service providers choose which ports and feature combinations to offer.

    Here are some common options for the standard SMTP ports:

    Port 25 - Allow relay based on senders IP address, sometimes STARTTLS, sometimes SMTP Auth

    Port 465 - SSL/TLS required, SMTP Auth usually required too

    Port 587 - Usually some combination of SSL/TLS or STARTTLS, and SMTP Auth is offered

    Please keep in mind when configuring your SMTP relays that many ISP's now block outbound port 25 for residential users.
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    It's also worth considering that SSL/TLS does not encrypt email, only the transmission of it over the network.

    Sending and receiving with encrypted protocols is only part of an overall email security plan.

    If you do not encrypt the actual messages then a 3rd party such as an ISP Mail Server Administrator could potentially read your email.
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...