docs: Clarify description of explicit TLS (#3017)

* Fix #3007: Changed description of explicit TLS to indicate that insecure connections are rejected * Further clarification that description only applies to authentication Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2024-09-29 02:31:20 +02:00 · 2023-01-22 13:09:38 +01:00 · 2023-01-22 13:09:38 +01:00 · b2cd66fcda
commit b2cd66fcda
parent efeb93e094
1 changed files with 1 additions and 1 deletions
--- a/docs/content/config/security/understanding-the-ports.md
+++ b/docs/content/config/security/understanding-the-ports.md
@ -66,7 +66,7 @@ flowchart LR

 #### Explicit TLS (aka Opportunistic TLS) - Opt-in Encryption

-Communication on these ports begin in [cleartext][ref-clear-vs-plain], indicating support for `STARTTLS`. If both client and server support `STARTTLS` the connection will be secured over TLS, otherwise no encryption will be used.
+Communication on these ports begin in [cleartext][ref-clear-vs-plain], indicating support for `STARTTLS`. If both client and server support `STARTTLS` the connection will be secured over TLS, otherwise the connection is unable to use encryption to secure it. By default, `docker-mailserver` is configured to reject connections that fail to establish a secure connection when authentication is required, rather than allow an insecure connection (_Port 25 will allow receiving unencrypted deliveries which doesn't require authentication_).

 Support for `STARTTLS` is not always implemented correctly, which can lead to leaking credentials(client sending too early) prior to a TLS connection being established. Third-parties such as some ISPs have also been known to intercept the `STARTTLS` exchange, modifying network traffic to prevent establishing a secure connection.