Hi,
in the Wiki is stated:
tls (no|yes|starttls; Default: no) Whether to use TLS encryption:
yes - sends STARTTLS and continue without TLS if a server responds that TLS is not available;
no - do not send STARTTLS;
starttls - sends STARTTLS and drops the session if TLS is not available on the server.
https://help.mikrotik.com/docs/display/ROS/E-mail
But in the ROS (v7.8 ) there is no “starttls” option, only “tls only”. But it is not stated how this behaves?!
The CLI options haven’t changed, it’s still same as doc’ed:
[me@mt] /tool/e-mail> set tls=<tab>
no starttls yes
But in winbox, their “Start TLS” = “tls only” …
it sets “tls=yes” - sends STARTTLS and continue without TLS if a server responds that TLS is not available
Conversely, winbox “Start TLS” = “yes” …
that sets “tls=starttls” - sends STARTTLS and drops the session if TLS is not available on the server.
But I’m just not sure that’s a real improvement in usability – basically they pretend as if question was “starttls=”, so all the boolean logic get reversed. (Well, except, “no” means “no”)
Ok, now I am completely lost 
I want to configure through Winbox a connection via TLS - no STARTTLS-carp. Which options is this?
For my undestanding, Winbox says “Start TLS” (which is ambiguous, does “Start TLS” refer to STARTTLS or Start [implicit] TLS):
yes = do the STARTTLS-stuff
no = do unencrypted stuff
tls only = do the “real” implicit TLS without STARTTLS-suff
But I may be wrong, MT totally screwed this simple thing up…
Likely “Yes”
I generally use port 587 and, from Winbox’s POV, it’s “Yes” to the “Start TLS”.
But in CLI, that’s “tls=starttls port=587”
I normally use the SMTP that comes from my domain registrar for these kinda things. But test this with gmail to make sure. It for sure backwards between CLI and winbox – they change the UI name, so it’s not wrong, just unhelpful.
converts to:
/tool e-mail
set address=smtp.gmail.com port=587 tls=starttls user="me@gmail.com" password="use-google-app-password"
While Mikrotik made this more confusing in V7, it kinda starts confusing too. The critical thing is the port needs to match the “TLS” sitting. In all most all cases:
465 you want “tls only” in winbox (or tls=yes in CLI)
587 you want “yes” in winbox (or tls=starttls in CLI)
_And gmail adds another twist. Since I don’t normally use it, they want you to use an “App Password” for email from a device like RouterOS, apparently. See https://support.google.com/accounts/answer/185833?hl=en_
Sorry about the confusion.
In Winbox is visible naming from RouterOS v6, where TLS-related settings are named differently than in v7.
RouterOS v6 => v7:
The issue is registered.