There are two modes of operation that PMDF-TLS supports:

1. Connecting to a TLS-enabled port where TLS negotiation happens immediately once the TCP connection has been established; and
2. Connecting to a "regular" port and then issuing a STARTTLS command¹ to begin TLS negotiation.

Connecting to a special port number is currently the more commonly used way to connect to a TLS-enabled server, but connecting to a regular port and issuing a STARTTLS command is expected to become the preferred technique. SMTP, IMAP, and POP3 all have established ports for use with TLS (port numbers 465, 993, and 995, respectively). When a client connects to one of these special ports (as configured in the Dispatcher configuration file), PMDF-TLS will immediately begin TLS negotiation. Once the negotiation is complete, the connection will be given to the service as usual.

In the case that a STARTTLS command is used, the TCP connection is established on the usual port number (or an alternate port number if configured in the Dispatcher) and given to the service normally. For instance, if TLS is available to the client in an SMTP session, the server will advertise STARTTLS as one of its available SMTP extensions; the client will then issue the STARTTLS command, the server will acknowledge receipt of the SMTP command and instruct the client to begin TLS negotiation. Again, once the negotiation is complete, the connection continues normally.