Updated A mail server's 101 (markdown)

docs/content/a-mail-server's-101.md

@@ -60,16 +60,18 @@ Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (a
 
 ### Summary of ports/security setups
 
-| Protocol | Opt-in Encryption<sup>1</sup>   | Enforced Encryption | Purpose              |
-|----------|---------------------------------|---------------------|----------------------|
-| SMTP     | 25                              | N/A                 | Transfer<sup>2</sup> |
-| ESMTP    | 587 _(deprecated<sup>4</sup>)_  | 465<sup>3</sup>     | Submission           |
-| POP3     | 110 _(deprecated<sup>4</sup>)_  | 995                 | Retrieval            |
-| IMAP4    | 143 _(deprecated<sup>4</sup>)_  | 993                 | Retrieval            |
+When talking about emails, the following applies:
 
-1. A connection *may* be secured over TLS when _both_ ends support `STARTTLS`. On ports 110, 143 and 587, `docker-mailserver` will reject a connection that cannot be secured _(preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading)_. Port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections.
-2. Port 25 receives email and filters for spam and viruses. For submitting outgoing mail you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall).
-3. Port 465 is a submission port since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS.
+| Protocol | Purpose              | Default port w/ opt-in Encryption<sup>1</sup> | Enforced Encryption    |
+|----------|----------------------|-----------------------------------------------|------------------------|
+| SMTP     | Transfer<sup>2</sup> | 25                                            | N/A                    |
+| ESMTP    | Submission           | 587 _(deprecated<sup>4</sup>)_                | SMTPS 465<sup>3</sup>  |
+| POP3     | Retrieval            | 110 _(deprecated<sup>4</sup>)_                | POP3S 995              |
+| IMAP4    | Retrieval            | 143 _(deprecated<sup>4</sup>)_                | IMAPS 993              |
+
+1. An insecure, unencrypted connection *may* be upgraded to a secured one (over TLS) when _both_ ends support the `STARTTLS` mechanism. On ports 110, 143 and 587, `docker-mailserver` *will* reject a connection that cannot be secured with STARTTLS (_preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading_). Note that port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections; whereas other ports are not and may be limited to STARTTLS (which docker-mailserver enforces).
+2. Port 25 is for _incoming_ mail transfer_, ie. it receives email and may filter for spam and viruses upon reception. For transferring _outgoing_ mail (eg. sending emails from within docker-mailserver to another mail server), you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall).
+3. Port 465 is a submission port again since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS.
 4. [RFC 8314](https://tools.ietf.org/html/rfc8314) is recommending that clear text exchanges to be abandoned and that all three common IETF mail protocols to be used only in implicit mode (no STARTTLS).
 
 ## How does docker-mailserver help with setting everything up?