[smorrebrod]

Isn't 465 safer since 587 uses STARTTLS and STARTTLS can be downgraded?

[justsomehnguy]

> since 587 uses STARTTLS and STARTTLS

Technically yes, but for the last decade I've seen only one instance where 587 was explicitly STARTTLS (Fastmail), everyone else just running TLS on it.

[smorrebrod]

How can I check if a connection is TLS or STARTTLS?

[imp0cat]

Connect to the smtp server and issue `EHLO something` command, then check if STARTTLS is mentioned in the server response.

[smorrebrod]

Thanks!

[justsomehnguy]

Minor nitpicks:

a) you need a plain-text aka telnet client for this

b) if you receive a valid, human-readable text then it means what you are not on TLS for sure

c) if B succeeds that doesn't means what that SMTP server support STARTTLS, you should check options and try to initite it , eg:

        220 smtp.fastmail.com ESMTP ready
    ->  EHLO just.testing.things
        250-smtp.fastmail.com
        250-PIPELINING
        250-SIZE 71000000
        250-ENHANCEDSTATUSCODES
        250-8BITMIME
    !!  250 STARTTLS
    ->  STARTTLS
        220 2.0.0 Start TLS

[imp0cat]

Right, I guess you could also use openssl's s_client like this:

  openssl s_client -starttls smtp -connect smtp.gmail.com:587
  openssl s_client -connect smtp.gmail.com:465

[pas]

smtp.gmail.com:587 is still STARTTLS.

[account42]

STARTTLS is a protocol. Allowing unencrypted connections is a policy. One does not imply the other.