STARTTLS or StartTLS is a procedure for initiating the encryption of a communication using Transport Layer Security (TLS).


In the Simple Mail Transfer Protocol (SMTP) is a server for the response STARTTLS that further communication can be encrypted, in his view. This mechanism was shortly afterwards also specified for the Internet Message Access Protocol ( IMAP) and for the Post Office Protocol ( POP), the latter with different keyword STLS.

An older method for initiating the encryption of a connection between the mail program (client) and mail server places these already negotiated during connection setup one by the appropriate ports are addressed. In the examples for standard ports, the respective S features behind the protocol names the hedged version:

  • SMTP on port 25 or 587 and SMTPS on port 465
  • IMAP on port 143 and IMAPS on port 993
  • POP3 and POP3S on port 110 to port 995

In contrast, a compound in the STARTTLS method always starts unencrypted on the forms provided for clear text port. After entering the command STARTTLS encryption is negotiated. This encryption will then take place in the same compound, it is not a new connection is established. An essential advantage is the fact that the peers, so the connection partner, the technical skills to negotiate on both sides. If a plain text connection is established on a dedicated SSL port, there is inevitably to abort, in the reverse combination as well. The user or an admin needs to intervene now. Thanks STARTTLS can perceive, for example, the client (without user intervention ) that the server provides the extension and automatically make use of it. In the alternative case, the client would first contact the dedicated port, wait for the deadline and then test the port for unencrypted communications.

However, an essential drawback is the fact that during firewalling analysis on application layer is necessary to distinguish encrypted and not encrypted. The same applies to proxies, although at the application level work, but much easier and quicker to decide on the Port distinguishing whether caching should be performed.

Another disadvantage over SSL stems from the fact that most e- mail programs use by default ' TLS if possible ' and it is not visible to the user when the connection to the mail server (no longer) is encrypted. In addition, third parties who have access to the network traffic, filter the STARTTLS command and so the - read along mail transport unnoticed, as happened in December 2008 when mobile phone provider O2 - then unencrypted.

Specified in RFC 2595, in the STARTTLS for POP3, IMAP and ACAP is discouraged by the earlier procedure with separate ports for TLS. However STARTTLS can not prevent a client software that STARTTLS does not know, sends the login information in plain text (see Chapter 9 of RFC 2595 ). With the use of dedicated ports for TLS this is excluded. The dedicated ports for POP3 and IMAP with TLS are still registered with the Internet Assigned Numbers Authority.


For HTTP there with RFC 2817 comparable to STARTTLS method to establish TLS connections. Usually HTTPS is used in accordance with RFC 2818 but here.


Even with LDAP (RFC 4511) can use the STARTTLS command, the encryption will be initiated.