Network Working Group P. Hoffman
Request for Comments: 3207 Internet Mail Consortium
Obsoletes: 2487 February 2002
Category: Standards Track
SMTP Service Extension for
Secure SMTP over Transport Layer Security
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document describes an extension to the SMTP (Simple Mail
Transfer Protocol) service that allows an SMTP server and client to
use TLS (Transport Layer Security) to provide private, authenticated
communication over the Internet. This gives SMTP agents the ability
to protect some or all of their communications from eavesdroppers and
SMTP [RFC2821] servers and clients normally communicate in the clear
over the Internet. In many cases, this communication goes through
one or more router that is not controlled or trusted by either
entity. Such an untrusted router might allow a third party to
monitor or alter the communications between the server and client.
Further, there is often a desire for two SMTP agents to be able to
authenticate each others' identities. For example, a secure SMTP
server might only allow communications from other SMTP agents it
knows, or it might act differently for messages received from an
agent it knows than from one it doesn't know.
Hoffman Standards Track [Page 1]RFC 3207 SMTP Service Extension - Secure SMTP over TLS February 2002
TLS [TLS], more commonly known as SSL, is a popular mechanism for
enhancing TCP communications with privacy and authentication. TLS is
in wide use with the HTTP protocol, and is also being used for adding
security to many other common protocols that run over TCP.
This document obsoletes RFC 2487.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. STARTTLS Extension
The STARTTLS extension to SMTP is laid out as follows:
(1) the name of the SMTP service defined here is STARTTLS;
(2) the EHLO keyword value associated with the extension is STARTTLS;
(3) the STARTTLS keyword has no parameters;
(4) a new SMTP verb, "STARTTLS", is defined;
(5) no additional parameters are added to any SMTP command.
3. The STARTTLS Keyword
The STARTTLS keyword is used to tell the SMTP client that the SMTP
server is currently able to negotiate the use of TLS. It takes no
4. The STARTTLS Command
The format for the STARTTLS command is:
with no parameters.
After the client gives the STARTTLS command, the server responds with
one of the following reply codes:
220 Ready to start TLS
501 Syntax error (no parameters allowed)
454 TLS not available due to temporary reason
Hoffman Standards Track [Page 2]RFC 3207 SMTP Service Extension - Secure SMTP over TLS February 2002
If the client receives the 454 response, the client must decide
whether or not to continue the SMTP session. Such a decision is
based on local policy. For instance, if TLS was being used for
client authentication, the client might try to continue the session,
in case the server allows it even with no authentication. However,
if TLS was being negotiated for encryption, a client that gets a 454
response needs to decide whether to send the message anyway with no
TLS encryption, whether to wait and try again later, or whether to
give up and notify the sender of the error.
A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally. This rule
prevents the STARTTLS extension from damaging the interoperability of
the Internet's SMTP infrastructure. A publicly-referenced SMTP
server is an SMTP server which runs on port 25 of an Internet host
listed in the MX record (or A record if an MX record is not present)