It is unfortunately common for email client software to silently fall back
to insecure submission if TLS or AUTH fail in any way
I use Macintosh Eudora (although the Windows version acts the same) where when
I request an SSL (ie: TLS) session I can designate the SSL as REQUIRED (as
opposed to Optional [ie: Use if offered in the ESMTP 220 message]).
I can see absolutely no justification for providing an "optional security"
feature (i.e. man-in-the-middle vulnerability). Most MUAs do it and they
are all stupid for doing so.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.