The following was prompted by a conversation about SSL vs TLS vs STARTTLS for SMTP servers.
Which is more secure, SSL or TLS?
TLS is newer than SSL.
The latest versions of TLS are more secure than SSL.
Do I want to enable the biggest version numbers?
Not necessarily, the TLS version numbers are lower than the SSL version numbers.
The SSL implementations before v3 have vulnerabilities and should be disabled, and even v3 has some vulnerabilities that need to be addressed.
For TLS, as of this posting, you still want to enable any version of TLS 1.x that you can support.
What's the difference between SSL & TLS and STARTTLS?
SSL and TLS connections are always encrypted.
The STARTTLS option gives a mail program or sending server the option to turn an unencrypted connection into an encrypted connection.
Which version of SSL/TLS and STARTTLS gets used if multiple versions are available?
The mail server and mail program will negotiate which protocol to use
What port number should I configure for SSL/TLS encrypted mail traffic?
SSL/TLS encrypted SMTP is usually configured on port 465
Are there requirements for what gets configured on each mail port?
There are no requirements. Service providers choose which ports and feature combinations to offer.
Here are some common options for the standard SMTP ports:
Port 25 - Allow relay based on senders IP address, sometimes STARTTLS, sometimes SMTP Auth
Port 465 - SSL/TLS required, SMTP Auth usually required too
Port 587 - Usually some combination of SSL/TLS or STARTTLS, and SMTP Auth is offered
Please keep in mind when configuring your SMTP relays that many ISP's now block outbound port 25 for residential users.
Which is more secure, SSL or TLS?
TLS is newer than SSL.
The latest versions of TLS are more secure than SSL.
Do I want to enable the biggest version numbers?
Not necessarily, the TLS version numbers are lower than the SSL version numbers.
The SSL implementations before v3 have vulnerabilities and should be disabled, and even v3 has some vulnerabilities that need to be addressed.
For TLS, as of this posting, you still want to enable any version of TLS 1.x that you can support.
What's the difference between SSL & TLS and STARTTLS?
SSL and TLS connections are always encrypted.
The STARTTLS option gives a mail program or sending server the option to turn an unencrypted connection into an encrypted connection.
Which version of SSL/TLS and STARTTLS gets used if multiple versions are available?
The mail server and mail program will negotiate which protocol to use
What port number should I configure for SSL/TLS encrypted mail traffic?
SSL/TLS encrypted SMTP is usually configured on port 465
Are there requirements for what gets configured on each mail port?
There are no requirements. Service providers choose which ports and feature combinations to offer.
Here are some common options for the standard SMTP ports:
Port 25 - Allow relay based on senders IP address, sometimes STARTTLS, sometimes SMTP Auth
Port 465 - SSL/TLS required, SMTP Auth usually required too
Port 587 - Usually some combination of SSL/TLS or STARTTLS, and SMTP Auth is offered
Please keep in mind when configuring your SMTP relays that many ISP's now block outbound port 25 for residential users.