That is submission, not SMTP. It works great from your mail program to your mail server, not between one mail server and another. That’s why SMTP needs MTA-STS or TLSA. Having written the STARTTLS code for the mail server I use, and temporarily made it impossible for my wife to get mail from her mother due to broken TLSA, I’m not guessing here.
Please consider the environment before reading this message. John Levine, [email protected] > On Feb 27, 2026, at 03:21, Paul Vixie <[email protected]> wrote: > > "Port 465 is used for SMTPS, which is the secure version of the Simple Mail > Transfer Protocol (SMTP). It employs implicit TLS encryption to secure email > transmissions between clients and servers, ensuring that messages cannot be > easily intercepted or tampered with." > > I realize that ietf believes otherwise but the market has spoken. > Paul Vixie > Feb 26, 2026 18:25:42 John R Levine <[email protected]>: > > Starttls, in both SMTP and IMAP, can be mitm'd (injection of refusal). We > should not be using them any more. > > Not for SMTP if you use MTA-STS or DANE TLSA. > > In any event, in SMTP the only alternative to STARTTLS is not to use > STARTTLS, which I don't think anyone would say was an improvement. > > R's, > John > > Paul Vixie > > Feb 26, 2026 17:57:47 John R Levine <[email protected]>: > > On Wed, 25 Feb 2026, Dan Wing wrote: > One approach would be take idea of > https://datatracker.ietf.org/doc/html/rfc8314 and extend it include SMTP > itself, which would bring QUIC along doing a happy eyeballs-like attempt at > QUIC falling back to TLS-over-TCP falling back to TCP-port-25-STARTTLS > falling back to TCP-port-25 plaintext, or as Martin suggested have DNS > optimize those choices. > > The problem with that is that SMTP doesn't do the TLS handshake at startup, > only after a STARTTLS command in the TCP session. But see next message.
