SSL vs TLS vs STARTTLS for SMTP Mail Servers

EQ Admin

EQ Forum Admin
Staff member
The following was prompted by a conversation about SSL vs TLS vs STARTTLS for SMTP servers.


Which is more secure, SSL or TLS?

TLS is newer than SSL.

The latest versions of TLS are more secure than SSL.


Do I want to enable the biggest version numbers?

Not necessarily, the TLS version numbers are lower than the SSL version numbers.

The SSL implementations before v3 have vulnerabilities and should be disabled, and even v3 has some vulnerabilities that need to be addressed.

For TLS, as of this posting, you still want to enable any version of TLS 1.x that you can support.


What's the difference between SSL & TLS and STARTTLS?

SSL and TLS connections are always encrypted.

The STARTTLS option gives a mail program or sending server the option to turn an unencrypted connection into an encrypted connection.


Which version of SSL/TLS and STARTTLS gets used if multiple versions are available?

The mail server and mail program will negotiate which protocol to use


What port number should I configure for SSL/TLS encrypted mail traffic?

SSL/TLS encrypted SMTP is usually configured on port 465


Are there requirements for what gets configured on each mail port?

There are no requirements. Service providers choose which ports and feature combinations to offer.

Here are some common options for the standard SMTP ports:

Port 25 - Allow relay based on senders IP address, sometimes STARTTLS, sometimes SMTP Auth

Port 465 - SSL/TLS required, SMTP Auth usually required too

Port 587 - Usually some combination of SSL/TLS or STARTTLS, and SMTP Auth is offered

Please keep in mind when configuring your SMTP relays that many ISP's now block outbound port 25 for residential users.
 

EQ Admin

EQ Forum Admin
Staff member
It's also worth considering that SSL/TLS does not encrypt email, only the transmission of it over the network.

Sending and receiving with encrypted protocols is only part of an overall email security plan.

If you do not encrypt the actual messages then a 3rd party such as an ISP Mail Server Administrator could potentially read your email.
 
Top