Starttls, in both SMTP and IMAP, can be mitm'd (injection of refusal). We should not be using them any more. Paul Vixie
Feb 26, 2026 17:57:47 John R Levine <[email protected]>: > On Wed, 25 Feb 2026, Dan Wing wrote: >> One approach would be take idea of >> https://datatracker.ietf.org/doc/html/rfc8314 and extend it include SMTP >> itself, which would bring QUIC along doing a happy eyeballs-like attempt at >> QUIC falling back to TLS-over-TCP falling back to TCP-port-25-STARTTLS >> falling back to TCP-port-25 plaintext, or as Martin suggested have DNS >> optimize those choices. > > The problem with that is that SMTP doesn't do the TLS handshake at startup, > only after a STARTTLS command in the TCP session. But see next message. > > R's, > John
