ISP caught removing customer mail encryption

In the e-mail world there are two ways to initiate secure encrypted SSL or TLS connection between e-mail client and server:

1. You connect to some predefined port and start the encryption process immediately. For encrypted POP3 version (aka POP3S) the port is 995 and for encrypted IMAP (aka IMAPS) the port is 993. This is also known as mandatory encryption. The encryption starts immediately when connected to said port.

2. You connect normally to server but if the server advertises that it has capability to encrypt the communication between you and the server, then it lists STARTTLS in it's response. So here the connection is first unencrypted and only if the server says that it can do encryption it upgrades the connection to encrypted one.

Now, I don't know about you but I have always felt that the method 2 is less secure.
That's why when traveling, I have always used the IMAPS port 993 (I don't use/need POP3S) for my encrypted mail reading from my laptop into my little home e-mail server and not STARTTLS.

At it seems I was right in my choice:

http://arstechnica.com/tech-policy/2014/11/condemnation-mounts-against-isp-that-sabotaged-users-e-mail-encryption/

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

So if you are in a process of setting up your own home e-mail server (there are few details to get you started on my personal home pages here: http://www.binarytouch.com/hacking.htm)
then I also warmly suggest that you use, if possible, the encrypted ports directly and not STARTTLS extension.

Important note: However, there has been a recent discovery that the ancient SSLv3 protocol is now vulnerable and everybody should upgraded to newer TLS protocol.

So the situation is quite complex now: Either keep using the vulnerable SSLv3 protocol with specific ports or start using TLS and STARTTLS extension with the possibility of your ISP being able to remove the encryption completely.