Deploy360 3 July 2014

STARTTLS Everywhere

EFF logo

The Electronic Frontier Foundation(EFF) has launched the STARTTLS Everywhere project in an effort to encrypt more communication between Simple Mail Transfer Protocol(SMTP) Message Transfer Agents(MTAs). STARTTLS is an effort to employ Transport Layer Security(TLS) for many different Internet protocols. STARTTLS for SMTP is defined in RFC 3207.

Using STARTTLS, daemons first establish an unencrypted socket connection to their remote counterpart. Then before exchanging authentication information a command will be sent to ‘start TLS’. At this point the connection hopefully shifts to an encrypted TLS connection. If the remote daemon does not support STARTTLS the near end may opt to continue unencrypted, or kill the connection.

Prior to the IETF’s ratification of STARTTLS, specific ports were reserved with IANA for encrypted communications for each protocol. STARTTLS obviates the need for these well known ports since the negotiation of the encrypted channel can occur on the unencrypted port.

While somewhat confusing given its title, the STARTTLS Everywhere project focuses exclusively on delivering a STARTTLS library for SMTP MTAs. STARTTLS for SMTP is an intermediate encryption technology designed to be used until DNSSEC and DANE can be fully deployed.


If you would like to learn more about TLS for Applications, please visit our TLS for Applications resources. If you would like to learn more about DNSSEC, please visit our DNSSEC resources.

Related articles

Deploy360 1 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

Almost every time we use an Internet application, it starts with a Domain Name System (DNS) transaction to map...

Deploy360 1 March 2019

IPv6 Security for IPv4 Engineers

This document provides an overview of IPv6 security that is specifically aimed at IPv4 engineers and operators. Rather than...

Deploy360 27 February 2019

Introduction to DNS Privacy

Abstract Almost every time we use an Internet application, it starts with a Domain Name System (DNS) transaction to...