diff --git a/.version_history b/.version_history
index 4b8dce6..fb076e9 100644
--- a/.version_history
+++ b/.version_history
@@ -27,3 +27,4 @@ a670de0f,24bd94d,feature/systemd-hardening,2025-09-07T16:40:47Z,michael,git,lua-
 4ee95dbc,08b49d3,security/sanitize-test-scripts,2025-09-07T19:25:38Z,michael,git,lua-api
 59c85431,8b78066,main,2025-09-10T10:20:50Z,michael,git,lua-api
 a71dd794,f5d9f35,main,2025-09-10T12:27:54Z,michael,git,lua-api
+de5318f2,304b010,main,2025-09-10T14:45:12Z,michael,git,lua-api
diff --git a/src/smtp.lua b/src/smtp.lua
index ab59d17..4c08b97 100644
--- a/src/smtp.lua
+++ b/src/smtp.lua
@@ -237,6 +237,33 @@ function SMTP:send_email(to_address, subject, message, from_name)
         return cleanup_and_fail("EHLO failed: " .. response)
     end
 
+    -- STARTTLS hinzufügen für Port 587
+    if self.port == 587 and self.use_ssl then
+        -- STARTTLS command
+        local success, response = self:send_command(sock, "STARTTLS", 220)
+        if not success then
+            return cleanup_and_fail("STARTTLS failed: " .. response)
+        end
+
+        -- Upgrade connection to SSL
+        local ssl_sock, err = self.ssl_compat:wrap_socket(sock, {
+            mode = "client",
+            protocol = "tlsv1_2"
+        })
+
+        if not ssl_sock then
+            return cleanup_and_fail("SSL upgrade failed: " .. err)
+        end
+
+        sock = ssl_sock
+
+        -- EHLO again over encrypted connection
+        local success, response = self:send_command(sock, "EHLO furt-lua", 250)
+        if not success then
+            return cleanup_and_fail("EHLO after STARTTLS failed: " .. response)
+        end
+    end
+
     -- AUTH LOGIN
     local success, response = self:send_command(sock, "AUTH LOGIN", 334)
     if not success then