STARTTLS is a protocol command used to upgrade a plaintext communication to an encrypted (TLS or SSL) communication.

The basic idea is to start with an unencrypted connection, then use the STARTTLS command to trigger the beginning of an encrypted section of the transaction. This allows protocols that didn't originally include TLS encryption to be upgraded to include it.

STARTTLS is often used in email transmission (SMTP), but it can also be used in other communication protocols, including POP3 and IMAP, which are used for retrieving and storing email.

When used in the context of SMTP on port 25, the client sends the STARTTLS command, the server responds with a "go ahead" message, and the client and server then negotiate an encrypted TLS session. After the TLS session is set up, all communication is encrypted. This process helps protect against eavesdropping and tampering with the email data during transmission.

However, it's important to note that STARTTLS is opportunistic and downgrade attacks are possible. An attacker could interfere with the negotiation process and cause the client and server to continue communicating over an unencrypted connection. This is why some email servers also support SMTPS (SMTP over SSL), which starts with an encrypted connection and doesn't have the vulnerability to downgrade attacks that STARTTLS has.

How to test that a server supports TLS

You can use the command line tool to test STARTTLS availability on a mail server. This tool will allow you to manually send SMTP commands and analyze the server's responses.

Follow these steps to test STARTTLS:

  1. First, open a terminal.
  2. Connect to the mail server using by running:
  1. If the server supports STARTTLS, you should see output that includes the server's certificate, followed by a line similar to this:

The command connects to the mail server at on port and initiates a STARTTLS handshake.

If the server doesn't support STARTTLS, it'll either not respond to the command, or it might respond with an error message.

Remember that is a Unix-based command, so it may not work on all platforms. If you're on a Windows system, you might need to download OpenSSL or use a similar tool.

Also, note that just because a server supports STARTTLS, that doesn't necessarily mean it's properly configured or that it's forcing the use of TLS. For a more comprehensive test of a mail server's security, you should use a dedicated mail server testing tool or service.