Comment by upofadown

>I would never use the STARTTLS port (opportunistic encryption) if I knew that the server had a regular TLS port...

That is what XMPP clients tend to do...

These days XMPP servers tend to default to requiring TLS on both 5222 and 5223 (Let's Encrypt has changed everything). Prosody does this for example. It doesn't even support port 5223 by default anymore. Port 5223 was never an official port assignment.

So it is very possible that the MiTM was only done on port 5222 because that was the only port that clients were using.