STARTTLS

What is STARTTLS?

STARTTLS is a command that upgrades an existing plain-text email connection to an encrypted one using TLS, without needing to use a separate port.

Rather than establishing an encrypted connection from the outset (as HTTPS does for web traffic), STARTTLS begins with a plain-text connection and then "upgrades" it to use TLS encryption mid-session, if both parties support it. The name reflects exactly what it does: it tells the server to start TLS.

How does STARTTLS work?

When a mail client connects to an SMTP server, the server announces which capabilities it supports, including whether STARTTLS is available. If the client supports it, it sends the STARTTLS command. The two parties then carry out a TLS handshake, and all subsequent communication is encrypted. If either party does not support STARTTLS, the connection continues unencrypted.

Which ports use STARTTLS?

STARTTLS is most commonly used with SMTP port 587 (for email submission), and also with port 143 for IMAP and port 110 for POP3. It is distinct from "implicit TLS" (sometimes called SMTPS), where the connection is encrypted from the very start on port 465.

Is STARTTLS secure?

STARTTLS is generally considered secure when properly configured, but it does have a known weakness: because the initial connection begins unencrypted, an attacker could theoretically intercept it and prevent the TLS upgrade (a "STARTTLS stripping" attack). Implicit TLS on port 465 avoids this, as the connection is encrypted from the first byte.

STARTTLS and MIDAS

When MIDAS is configured to send email via SMTP on port 587, it uses STARTTLS to encrypt the connection to your mail server, ensuring that booking confirmations and other emails are transmitted securely.