The terms SSL, TLS, and STARTTLS are often confused with one another. In this article we will look at the differences between them in order to clarify these concepts. We will also have a look at some good, modern practices that must be used when communicating an application or a client with our infrastructure’s mail servers, within ensuring secure and encrypted communication.
Differences between SSL/TLS vs STARTTLS
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both powerful encryption protocols that provide security for communication on a network. Νetwork means for example, when a client connects to a server.
These protocols are used in our daily lives in many applications such as our web browsing, email service, file transfer, instant messaging, teleconferencing, VoIP, etc. TLS is the continuation of the SSL protocol.
The SSL and TLS version numbers from the oldest to the newest are: SSL v2, SSL v3, TLS v1.0, TLS v1.1, TLS v1.2, TLS v1.3.
The versions now supported by our infrastructure are TLS v1.2 & v1.3. The other versions have been removed due to known vulnerabilities.
Check which version of TLS is compatible with the software platform or operating system you are using.
STARTTLS differs from SSL and TLS as it is not a communication protocol. It is a command protocol used to inform the email server that the email client wants to upgrade the connection from an insecure to a secure one by using an SSL or a TLS protocol.
More specifically, in the past, before the encrypted communication method using secure ports was established (e.g. 587, 465, 995, 993), many insecure connections between a client and a server were performed by using default ports (such as 25, 143 & 110). This puts data and important information at risk of being intercepted. STARTTLS came to help reduce this risk by converting the unsecured connection to a secure one by using either an SSL or a TLS.
In other words, STARTTLS uses ports 25, 143 & 110 but in an encrypted way. That’s how it works: during the first communication the connection is made without encryption. Then, the client sending the email will ask the server if it supports an encrypted method. Whether the server supports an encrypted method, then an encrypted communication will be set between them. If the server does not support an encrypted method, then the connection will not be upgraded and will return to the original insecure communication (something that is not recommended for security and privacy reasons). We suggest that this first communication should be always secured because sensitive information (such as username & password) shared should not be intercepted.
Here is an example. During SMTP communication, if the communication takes place on port 587, the connection is secure which is ideal. If the connection is made on port 25 then it will be insecure. However, by using STARTTLS sent commands will upgrade it to a secure connection.
Below we will mention some best practices and upcoming changes in the mail service that you will need to make in case you use ports both with secure and insecure connections.
Upcoming changes to the mail service
As mentioned above, within our upgrading and enhancing the protection of information transferred to a network when communicating with the mail servers of our infrastructure, the goal is to use encrypted methods by all. That’s because we want to ensure user authentication, data integrity and zero chances for a data breach.
To achieve this, we have implemented in our infrastructure all modern encryption methods which ensure secure communication between the email server and the email clients / applications you use.
For your part, you need to ensure that the applications, mail clients, and operating systems you use are compatible with TLSv1.2 & TLSv1.3. In other words, you should abandon the old communication protocols, TLSv1.0 & TLSv1.1, which are now considered unsafe (they come mainly from old operating systems and old devices) and upgrade to new ones. You can find more information in this article.
Also, in addition to the email clients you are using, you should upgrade all the applications, but also your website plugins that communicate with the mail server (such as contact forms, SMTP WordPress Authentication plugins, etc.).
Regarding email clients, below we mention some changes that you should define in the IMAP, POP3 & SMTP communication protocols.
In order for the communication between the users and the mail server to be secure and encrypted, once you make sure that your applications and operating system are compatible with TLS version v1.2 and above, use secure ports and use SSL / TLS communication protocol.
Therefore, we recommend that you use:
Secure port: 993, using SSL / TLS (recommended)
Secure port: 995, using SSL / TLS (recommended)
Secure port: 465, using SSL / TLS (recommended)
Secure port: 587, using STARTTLS (recommended)
NOTE: If for some reason, any of the secure ports recommended above cannot be used (e.g. due to a firewall), you can use the default ports 143, 110 & 25 as an alternative, while using STARTTLS. This upgrades the connection from insecure to secure, if it is supported by the client and the server. A prerequisite, as mentioned above, is that your applications and operating systems support TLS v1.2 and above.
IMAP: Insecure port: 143, using STARTTLS
POP3: Insecure port: 110, using STARTTLS
SMTP: Insecure port: 25, using STARTTLS
Within our changes to ensure data protection in the mail service, we are removing unencrypted login from our infrastructure. Only an encrypted password will be accepted. In order to change that to your mail clients, you should go to your email account settings and set the authentication method to "Encrypted password".
For example, if you are using the default ports (143, 110 & 25) as well as STARTTLS, then in the authentication method you should select "Encrypted password": if for any reason the communication is not encrypted, the password will still be encrypted and won’t look like plain text.
Below you can see an example of setting up an email account in Thunderbird, where unsecured ports 143 (for IMAP) and 25 (for SMTP) are used, for security reasons STARTTLS and as an authentication method we have to set an Encrypted password.
Under no circumstances should you select "Normal Password" or any other option other than "Encrypted password" in authentication. The password won’t be encrypted and will be transferred as plain text. To prevent this from happening, as mentioned above, the rest of the certification methods are no longer accepted by our infrastructure.