Problems enforcing TLS on newer Outlook versions; security of STARTTLS

Question

When using older versions of Outlook, eg. 2013, I'm given two separate choices for the encrypted connection type - SSL or TLS. As SSL has been deprecated by my mail service provider, I switched to TLS. Outlook 2013 has given me no trouble in this regard, TLS works fine.

It's a bit different on newer Outlook 2019. The choices there are different - I can either select SSL/TLS as a combined option, or STARTTLS. When SSL/TLS is selected, I'm assuming Outlook is defaulting to trying SSL instead of TLS, as I get an error saying "Your server does not support the connection encryption type you have specified". If I choose the STARTTLS option instead, it works - but isn't STARTTLS the less secure option, as it can apparently be forced into an unencrypted connection? Or do newest Outlook versions handle it more securely?

If STARTTLS is not recommended for use, how do I get TLS to work properly on Outlook 2019? I'm using a standard desktop version of Office, on Windows 10, trying to connect to the same SMTP and IMAP server on both of the mentioned Outlook versions.

Answer 1

Hi @kd-5257 ,

Please kindly understand that Support for Office 2013 ended on April 11, 2023, Microsoft will no longer provide technical support, but all of your Office 2013 apps will continue to function.

According to my test, I can enable the SSL/TLS in office2019 when I configure the Gmail.

I have checked the IMAP configuration from Gmail.

May I know how do you configure your account? What is the port of SMTP? You can check the port from your email provider.

Make sure your OS doesn't have an outdated TLS version, as later versions mean TLS 1.2 will be the default security protocol.

Besides, for the differences between SSL/TLS and STARTTLS, you can refer to this article: SSL vs. TLS vs. STARTTLS Encryption

(Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi @kd-5257 ,

Is it safe? STARTTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL.

The StartTLS process

SMTP always starts unencrypted. The StartTLS command starts the negotiation between server and client. Here’s an outline of the communication that happens between the email client and email server.

1. The process begins with the Transmission Control Protocol (TCP) handshake to help both the email client and server identify each other.
2. The server identifies with 220 Ready that the email client can proceed with the communication.
3. The client sends the server “EHLO” to inform the server that the client would like to use Extended SMTP (the more advanced version of SMTP that lets you include images, attachments, etc.).
4. The client sends “250-STARTTLS” to the mail server to ask whether or not StartTLS is accepted.
5. If the server sends back “go head,” the StartTLS connection can be created. 
6. The client restarts the connection and the email message has been encrypted.

Finally, I suggest you use implicit SSL/TLS on port 465 or upgrading to STARTTLS on port 587.

An additional article: https://unione.io/en/blog/starttls-what-is-it-and-how-does-it-work#process

(Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)