Some IMAP servers (mail providers) make secure connections only
available via STARTTLS but not via separate-port TLS.
However, the current "opportunistic" implementation is susceptible to
downgrade attacks, that is, a client can be fooled into thinking the
server doesn't support it – and will happily continue with the rest of
the connection in plaintext.
Adding this option allows STARTTLS mode to provide the same level of
security (resilience to downgrade attacks) as TLS on separate port does.
quentinsf
commented
4 years ago
Some IMAP servers (mail providers) make secure connections only available via STARTTLS but not via separate-port TLS.
However, the current "opportunistic" implementation is susceptible to downgrade attacks, that is, a client can be fooled into thinking the server doesn't support it – and will happily continue with the rest of the connection in plaintext.
Adding this option allows STARTTLS mode to provide the same level of security (resilience to downgrade attacks) as TLS on separate port does.