What is suggested method for securing submission port 587 on SMTP server, STARTTLS command or direct TLS layer?
I am currently tend to use (mandatory) STARTTLS command and not direct TLS layer. In case of problems, STARTTLS command can be disabled without changing MUA`s configuration. I think in case of direct usage of TLS layer it would not be so straightforward.
Are there any other suggestions, opinions ? I didn't find out if it is standardised in some RFC.
RFC 4409 talks only about plain text communication with optional STARTTLS command submission port 587.
Ignoring the other SSL/TLS security issues, the important thing is to ensure protection to SSL/TLS stripping attack.
If MUA is configured to connect to port 587 with STARTTLS, it must refuse connection when MITM attacker strips the EHLO command STARTTLS.
If server is configured to use SSL/TLS-wrapped SMTP layer and client configured to use wrapped layer, again MUA client must refuse connection when MITM attacker strips whole SSL/TLS layer.
From a security point of view there is no difference between these two approaches.
Nevertheless, it is generally advisable to respect RFC and use STARTTLS on port 587.