‹ Back
Deploy360 3 July 2014

STARTTLS Everywhere


The Electronic Frontier Foundation(EFF) has launched the STARTTLS Everywhere project in an effort to encrypt more communication between Simple Mail Transfer Protocol(SMTP) Message Transfer Agents(MTAs). STARTTLS is an effort to employ Transport Layer Security(TLS) for many different Internet protocols. STARTTLS for SMTP is defined in RFC 3207.

Using STARTTLS, daemons first establish an unencrypted socket connection to their remote counterpart. Then before exchanging authentication information a command will be sent to ‘start TLS’. At this point the connection hopefully shifts to an encrypted TLS connection. If the remote daemon does not support STARTTLS the near end may opt to continue unencrypted, or kill the connection.

Prior to the IETF’s ratification of STARTTLS, specific ports were reserved with IANA for encrypted communications for each protocol. STARTTLS obviates the need for these well known ports since the negotiation of the encrypted channel can occur on the unencrypted port.

While somewhat confusing given its title, the STARTTLS Everywhere project focuses exclusively on delivering a STARTTLS library for SMTP MTAs. STARTTLS for SMTP is an intermediate encryption technology designed to be used until DNSSEC and DANE can be fully deployed.

If you would like to learn more about TLS for Applications, please visit our TLS for Applications resources. If you would like to learn more about DNSSEC, please visit our DNSSEC resources.

‹ Back

Related articles

TLS Developer Libraries
Transport Layer Security (TLS)11 July 2014

TLS Developer Libraries

To make the Internet more secure, Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL) needs to be...

Making Content Available Over IPv6
IPv66 June 2013

Making Content Available Over IPv6

The Internet has run out of unused IPv4 addresses. Some regions of the world still have some local supply left...

RFC 6698 - The DNS-Based Authentication of Named Entities
Domain Name System Security Extensions (DNSSEC)4 October 2012

RFC 6698 – The DNS-Based Authentication of Named Entities

For anyone interested in how to better secure the Internet, the DANE protocol ("DNS-Based Authentication of Named Entities") provides a...

Join the conversation with Internet Society members around the world