What is StartTLS?

We all send dozens of emails each day, and these emails often contain sensitive information that we don’t want leaked, like personal data, banking details, or social security numbers. However, the SMTP protocol used to transfer email data does not offer data encryption, which makes it open to anyone capable of intercepting the network traffic. To eliminate this problem, the data stream has to be encrypted using cryptographic protocols.

Enforced vs. Opportunistic

One could ask: if there’s a strong need to encrypt email communications, why not just make it mandatory, refusing to establish an open, insecure connection? The reason is that certain legacy applications are still incapable of transmitting data securely, while possibly not being too sensitive with regard to data privacy. To support such outdated apps, programmers have developed a clever solution.

Opportunistic TLS 

This method lets the client app initiate an unsecure connection which then may be upgraded to an encrypted one if this option is supported by the server. If the recipient’s server doesn’t support TLS, the client will continue as is, sending the data in plain text. This solution is called opportunistic, or explicit TLS.

Enforced TLS

There are situations when unencrypted data transfer is totally unacceptable. Newer applications also do not need opportunistic TLS as a backup option. In such cases, if a secure connection cannot be established, the session will not take place. This method is known as enforced, aka implicit TLS. It is secure but may cause mail to be rejected occasionally.

SMTP Ports: What Are They For?

So how do you know which option will be used for a particular scenario? The distinction is made by using different port numbers. A port number is just a numerical identifier which helps the system determine which application should process a particular chunk of data that has just arrived over the network.

Email communications may use several different ports. To make things even more complex, the intended use of these ports has changed over time. Currently port number 465 is used for SMTP connection with implicit TLS, and port 587 is used for  opportunistic TLS.

But What Is StartTLS, Anyway?

It is a protocol command used for opportunistic TLS. It tells the server that the client wants to switch from an insecure connection to a secure one. StartTLS is implemented in the Simple Mail Transfer Protocol (SMTP) and Internet Messaging Access Protocol (IMAP), the major protocols for transferring and retrieving emails, respectively. Yet another popular email protocol, POP3, uses a similar command, STLS.

Now that we know what StartTLS is, let’s see how it works.

StartTLS is compatible with both TLS and SSL security protocols despite having only “TLS” in its name. Yet it prefers to use TLS because it is essentially a newer and more secure version of SSL.

To proceed with encrypted connection, the email client and mail server must first agree on what protocol version to use. For instance, if the client supports TLS version 1.3, but the server only supports version 1.2, both parties will proceed with version 1.2 to enable a secure connection.

The Process

An SMTP connection may initially be unencrypted. To make it secure, the StartTLS command must be issued to start negotiation between the server and the client. Here’s how an SMTP session goes:

1. The client starts the network session with a Transmission Control Protocol (TCP) handshake, and the server and client identify each other. 

2. The server sends a 220 Ready command to the client, informing it that it can proceed with the SMTP session.

3. The client sends an “EHLO” command to the server, letting it know that it would like to upgrade to Extended SMTP (a more advanced version of the SMTP protocol).

4. The client sends a “250-STARTTLS” command to the server, asking it whether it accepts StartTLS or not.

5. The server sends back a “go ahead” command to the client, letting it know it can create a StartTLS connection. 

6. The client receives the message and restarts the connection. The connection is now secure.

Wrapping Up

An SMTP connection isn’t secure per se, which poses a problem for people sending sensitive information via email. StartTLS is a backward compatibility solution which makes it possible to upgrade from an insecure session to a secure one if the option is supported by both parties.