From 65e2c3ad81fec1ab0ca176c6e3048f721f5432a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 15 Dec 2021 15:00:37 -0500
Subject: [PATCH] mention TLS security and why we talk about starttls

---
 howto/submission.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/howto/submission.md b/howto/submission.md
index 242771b7..80b416ab 100644
--- a/howto/submission.md
+++ b/howto/submission.md
@@ -9,6 +9,19 @@ authenticated SMTP for LDAP users of the `torproject.org` domain.
 
 # Tutorial
 
+In general, you can configure your email client with the following
+SMTP settings:
+
+ * Server name: `submission.torproject.org`
+ * Port: `587`
+ * Connection security: `STARTTLS`
+ * Authentication method: `Normal password`
+ * User Name: your LDAP username **without** the `@torproject.org`
+   part, e.g. in my case it is `anarcat`
+ * Password: LDAP email password set on the [LDAP dashboard](https://db.torproject.org/update.cgi)
+
+`TLS` connection security, on port `465` is supported and encouraged.
+
 ## Setting an email password
 
 To use the email submission service, you first need to set a "mail
@@ -41,6 +54,8 @@ with:
  * User Name: (your LDAP username, e.g. in my case it is `anarcat`,
  **without** the `@torproject.org` part)
 
+`TLS` connection security, on port `465` is supported and encouraged.
+
 Then you can set that account as the default by hitting the "Set
 default" button, if only your `torproject.org` identity is configured
 on the server.
@@ -72,6 +87,8 @@ password. You should *NOT* get a certificate warning, a real cert
   * Now, enter your correct user name and your correct password.
   * Select `OK`.
 
+`TLS` connection security, on port `465` is supported and encouraged.
+
 ## Other clients
 
 TODO: we should include easy configuration instructions for major
@@ -282,6 +299,12 @@ the web interface is used to modify those passwords. Passwords are
 problems between the Perl/ud-ldap implementation and Dovecot which
 haven't been resolved yet.
 
+The "submission" port (587) is used in the documentation by default
+because it is typically *less* blocked by ISP firewalls than the
+"smtps" port (465), but both are supported. The TLS server is
+authenticated using the regular Let's Encrypt CA (see [TLS
+documentation](howto/tls)).
+
 ## Issues
 
 There is no issue tracker specifically for this project, [File][] or
-- 
GitLab