diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md
index 75ef71c9..4ae7284e 100644
--- a/docs/content/a-mail-server's-101.md
+++ b/docs/content/a-mail-server's-101.md
@@ -60,16 +60,18 @@ Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (a
### Summary of ports/security setups
-| Protocol | Opt-in Encryption1 | Enforced Encryption | Purpose |
-|----------|---------------------------------|---------------------|----------------------|
-| SMTP | 25 | N/A | Transfer2 |
-| ESMTP | 587 _(deprecated4)_ | 4653 | Submission |
-| POP3 | 110 _(deprecated4)_ | 995 | Retrieval |
-| IMAP4 | 143 _(deprecated4)_ | 993 | Retrieval |
+When talking about emails, the following applies:
-1. A connection *may* be secured over TLS when _both_ ends support `STARTTLS`. On ports 110, 143 and 587, `docker-mailserver` will reject a connection that cannot be secured _(preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading)_. Port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections.
-2. Port 25 receives email and filters for spam and viruses. For submitting outgoing mail you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall).
-3. Port 465 is a submission port since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS.
+| Protocol | Purpose | Default port w/ opt-in Encryption1 | Enforced Encryption |
+|----------|----------------------|-----------------------------------------------|------------------------|
+| SMTP | Transfer2 | 25 | N/A |
+| ESMTP | Submission | 587 _(deprecated4)_ | SMTPS 4653 |
+| POP3 | Retrieval | 110 _(deprecated4)_ | POP3S 995 |
+| IMAP4 | Retrieval | 143 _(deprecated4)_ | IMAPS 993 |
+
+1. An insecure, unencrypted connection *may* be upgraded to a secured one (over TLS) when _both_ ends support the `STARTTLS` mechanism. On ports 110, 143 and 587, `docker-mailserver` *will* reject a connection that cannot be secured with STARTTLS (_preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading_). Note that port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections; whereas other ports are not and may be limited to STARTTLS (which docker-mailserver enforces).
+2. Port 25 is for _incoming_ mail transfer_, ie. it receives email and may filter for spam and viruses upon reception. For transferring _outgoing_ mail (eg. sending emails from within docker-mailserver to another mail server), you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall).
+3. Port 465 is a submission port again since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS.
4. [RFC 8314](https://tools.ietf.org/html/rfc8314) is recommending that clear text exchanges to be abandoned and that all three common IETF mail protocols to be used only in implicit mode (no STARTTLS).
## How does docker-mailserver help with setting everything up?