As far as I understood, both encrypt the connection. However, SSL/TLS "forces" the mail client to encrypt the channel from the beginning. Now let's say I telnet mail.server 25 and, after the ehlo, I am presented with STARTTLS as an authentication option that the server allows me (the mail client) to use. If I choose STARTTLS does it mean that I can authenticate myself (mail client) against the server (using my digital certificate)? why and how?
I am doing as follows but I don't understand where does the client authentication part comes in:
telnet some.mail.server 25
ehlo some.mail.server
...
250-STARTTLS
...
STARTTLS
mail from: guy
rcpt to: otherGuy
data
someting
.
quit
Shouldn't I be sending the client certificate to the server? I tried this using openssl s_client -starttls smtp which actually provides a -cert and -key options to specify the certificate and private key.
So, in fact, the only disadvantage of SSL/TLS compared to STARTTLS is that since the connection is immediately encrypted, there is no way for the client to send its certificate on the same port. Only the server can send its certificate. Correct? A lot of confusion in my head... Please clarify this for me.
Both direct TLS mode and TLS upgrade using STARTTLS can use client certificates. The only difference between these modes is that with STARTTLS you start with a plain connection and later upgrade if the server announces support for STARTTLS. A man in the middle could strip this announcement (similar to sslstrip) and thus prevent the upgrade to TLS. This is actually used in practice, see https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks.
Unfortunately MX records, which are used to announce which servers are responsible for the mail transfer, can only announce hosts and no ports and in this case the default port 25 will be used with the plain SMTP protocol. Thus you can only get TLS by using the STARTTLS command.