mjl-
commented
3 months ago hi @hymalsurk, i think you may be mixing a few concepts up here. rfc 8314 is "Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access". mta-sts is in rfc 8461, "SMTP MTA Strict Transport Security (MTA-STS)".
you're mentioning "mail delivery", but the term for the service on ports 465 and 587 is "mail submission". submission is used by mail clients (aka mail user agents, or mua's) to submit messages to the queue for delivery. mail delivery (or "relay") is between mail servers (not involving mail clients) that happens on port 25, typically based on MX records. communication on all these ports is smtp, but the submission ports typically use authentication, while delivery/relay is unauthenticated. smtp delivery is always only on port 25 (essentially for historic reasons, see https://www.xmox.nl/xr/dev/rfc/8314.html#L995). delivery/relay on port 25 does opportunistically enable tls with starttls (but without verifying tls certificates). mta-sts only applies to delivery, not to submission. mta-sts adds some verification of tls certificates. dane is another, stronger, tls certification verification mechanism.
about port 576 vs 465: we're moving away from the old starttls mechanism on port 587 to "implicit tls" on port 465. connections on port 587 start out without tls, in clear text (see the introduction summary line, https://www.xmox.nl/xr/dev/rfc/8314.html#L142). the (optional) starttls command then enables tls. however, it's safer to immediately start with tls on a connection (preventing mitm from stripping the server support announcement of the "starttls" capability, which could cause insecure clients to continue without tls, in plain text). that's port 465 with "implicit tls" (that term always confuses me, i call it "immediate tls").
i hope this helps and doesn't raise more questions than it answers. (:
RFC 8314 (SMTP MTA Strict Transport Security) recommends moving away from port 465 and switching to STARTTLS on port 587 for secure mail delivery.