One very important thing to note is that clients on Microsoft's rather
popular OS family (as much as I loathe it personally) will *not* use TLS 1.0
at all, by default.
then they shouldn't claim to conform to the SMTP STARTTLS RFC, and
they shouldn't try to negotiate STARTTLS with a server.
if they can call Microsoft's library with non-default settings that
cause the library to use TLS, fine. if not, they can supply their
own library - because the Microsoft one doesn't allow them to conform
to the standards.
we didn't write a specification for SMTP over TLS so that people could
pretend to support it and actually support something weaker. there
are reasons that TLS was approved for standards track and SSLv3 wasn't.
Keith