SSL Versus TLS Versus StARTTLS Emails
STARTTLS means "explicit TLS" where the connection is established on regular port and then STARTTLS command is sent to initiate SSL handshake and switch to protection mode. Another option probably defines implicit SSL/TLS on a dedicated port. In implicit mode first the handshake takes place and then the application-level protocol runs over the established secure channel.
It is worth reading and understanding about the same from www.fastmail.com help section which states:
There's often quite a bit of confusion around the different terms SSL, TLS and STARTTLS.
SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you're referring to a specific version of the protocol.
STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn't mean you have to use TLS, you can use SSL.
To add security to some existing protocols (e.g. IMAP, POP, etc.), it was decided to just add SSL/TLS encryption as a layer underneath the existing protocol. However, to distinguish that software should talk the SSL/TLS encrypted version of the protocol rather than the plaintext one, a different port number was used for each protocol. So you have:
- IMAP uses port
143, but SSL/TLS encrypted IMAP uses port
- POP uses port
110, but SSL/TLS encrypted POP uses port
- SMTP uses port
25, but SSL/TLS encrypted SMTP uses port
At some point, it was decided that having 2 ports for every protocol was wasteful, and instead you should have 1 port that starts off as plaintext, but the client can upgrade the connection to an SSL/TLS encrypted one. This is what STARTTLS was created to do
SMTP STARTTLS as an exception
The one real exception to the above is SMTP. However that's for a different reason again. Most email software (known as a mail user agent) used SMTP on port
25 to submit messages to the email server for onward transmission to the destination (known as a mail transfer agent). However, SMTP was originally designed for transfer, not submission. So yet another port (
587) was defined for message submission.
587 doesn't mandate requiring STARTTLS, the use of port
587 became popular around the same time as the realisation that SSL/TLS encryption of communications between clients and servers was an important security and privacy issue and encryption extensions were being defined for sMTP. So shortly after port 465 was defined, it was revoked with the expectation that clients would move to using STARTTLS over port 587
The result is that in most cases, systems that offer message submission over port
587require clients to use STARTLS to upgrade the connection and also require a username and password to authenticate. There has been an added benefit to this approach as well. By moving users away from using port
25 for email submission, ISPs are now able to block outgoing port
25 connections from users' computers, which were a significant source of spam due to infection with spam-sending viruses.