SMTP Service Extension for Secure SMTP over Transport Layer Security
RFC 3207

Document Type RFC - Proposed Standard (February 2002; Errata)
Updated by RFC 7817
Obsoletes RFC 2487
Was draft-hoffman-rfc2487bis (individual)
Author Paul Hoffman 
Last updated 2020-01-21
Stream Legacy
Formats plain text html pdf htmlized with errata bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 3207 (Proposed Standard)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         P. Hoffman
Request for Comments: 3207                      Internet Mail Consortium
Obsoletes: 2487                                            February 2002
Category: Standards Track

                      SMTP Service Extension for
               Secure SMTP over Transport Layer Security

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.


   This document describes an extension to the SMTP (Simple Mail
   Transfer Protocol) service that allows an SMTP server and client to
   use TLS (Transport Layer Security) to provide private, authenticated
   communication over the Internet.  This gives SMTP agents the ability
   to protect some or all of their communications from eavesdroppers and

1. Introduction

   SMTP [RFC2821] servers and clients normally communicate in the clear
   over the Internet.  In many cases, this communication goes through
   one or more router that is not controlled or trusted by either
   entity.  Such an untrusted router might allow a third party to
   monitor or alter the communications between the server and client.

   Further, there is often a desire for two SMTP agents to be able to
   authenticate each others' identities.  For example, a secure SMTP
   server might only allow communications from other SMTP agents it
   knows, or it might act differently for messages received from an
   agent it knows than from one it doesn't know.

Hoffman                     Standards Track                     [Page 1]
RFC 3207     SMTP Service Extension - Secure SMTP over TLS February 2002

   TLS [TLS], more commonly known as SSL, is a popular mechanism for
   enhancing TCP communications with privacy and authentication.  TLS is
   in wide use with the HTTP protocol, and is also being used for adding
   security to many other common protocols that run over TCP.

   This document obsoletes RFC 2487.

1.1 Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2. STARTTLS Extension

   The STARTTLS extension to SMTP is laid out as follows:

   (1) the name of the SMTP service defined here is STARTTLS;

   (2) the EHLO keyword value associated with the extension is STARTTLS;

   (3) the STARTTLS keyword has no parameters;

   (4) a new SMTP verb, "STARTTLS", is defined;

   (5) no additional parameters are added to any SMTP command.

3. The STARTTLS Keyword

   The STARTTLS keyword is used to tell the SMTP client that the SMTP
   server is currently able to negotiate the use of TLS.  It takes no

4. The STARTTLS Command

   The format for the STARTTLS command is:


   with no parameters.

   After the client gives the STARTTLS command, the server responds with
   one of the following reply codes:

   220 Ready to start TLS
   501 Syntax error (no parameters allowed)
   454 TLS not available due to temporary reason

Hoffman                     Standards Track                     [Page 2]
RFC 3207     SMTP Service Extension - Secure SMTP over TLS February 2002

   If the client receives the 454 response, the client must decide
   whether or not to continue the SMTP session.  Such a decision is
   based on local policy.  For instance, if TLS was being used for
   client authentication, the client might try to continue the session,
   in case the server allows it even with no authentication.  However,
   if TLS was being negotiated for encryption, a client that gets a 454
   response needs to decide whether to send the message anyway with no
   TLS encryption, whether to wait and try again later, or whether to
   give up and notify the sender of the error.

   A publicly-referenced SMTP server MUST NOT require use of the
   STARTTLS extension in order to deliver mail locally.  This rule
   prevents the STARTTLS extension from damaging the interoperability of
   the Internet's SMTP infrastructure.  A publicly-referenced SMTP
   server is an SMTP server which runs on port 25 of an Internet host
   listed in the MX record (or A record if an MX record is not present)
   for the domain name on the right hand side of an Internet mail

   Any SMTP server may refuse to accept messages for relay based on
   authentication supplied during the TLS negotiation.  An SMTP server
   that is not publicly referenced may refuse to accept any messages for
   relay or local delivery based on authentication supplied during the
Show full document text