During a penetration test you capture an SMTP session between the organization's mail server and an external partner. After the EHLO exchange you see the command 'STARTTLS' followed by a TLS handshake. Management claims this means all outbound email is now fully encrypted until it reaches recipients. As the consultant, what is the correct explanation?
The SMTP channel is encrypted only for this hop; without S/MIME or OpenPGP the message can still be stored or forwarded in clear text later.
The command digitally signs each message with the server's certificate, providing authenticity but not confidentiality.
It establishes an IPsec ESP tunnel between sender and recipient networks, protecting headers and body throughout transit.
STARTTLS guarantees end-to-end encryption of the message body until it is opened in the recipient's mail client.
SMTP with STARTTLS upgrades the transport connection to TLS only for the single hop between the two mail transfer agents that negotiated it. The message contents are decrypted as soon as they are accepted by the next server and may travel further or be stored in plaintext. End-to-end protection that persists to the recipient's mailbox requires a message-level scheme such as S/MIME or OpenPGP. STARTTLS neither signs the mail nor creates an IPsec tunnel; it simply provides opportunistic, hop-by-hop encryption of the SMTP channel.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is STARTTLS and how does it work in SMTP?
Open an interactive chat with Bash
How is STARTTLS different from S/MIME or OpenPGP?
Open an interactive chat with Bash
Why doesn’t STARTTLS guarantee full email confidentiality?
Open an interactive chat with Bash
What does STARTTLS do in an SMTP session?
Open an interactive chat with Bash
What is the difference between STARTTLS and end-to-end encryption?
Open an interactive chat with Bash
Why can a message encrypted with STARTTLS still be stored in plaintext later?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .