Re: Try next MX on a STARTTLS handshake error?

At 17:56 -0700 on 04/20/2007, Carl S. Gutekunst wrote about Try next 
MX on a STARTTLS handshake error?:
> When a client MTA tries to perform TLS authentication on a server 
> MTA, and the authentication fails, should the client MTA move on to 
> the next MX host, or give up?
> [snip]
>
> I'm struggling with trying to decide if this is correct behavior or 
> not; for some reason it seems intuitively wrong, although I can make 
> a good argument for it being right.
> [snip]

Which way you go is (at least partly) how you classify the failure to 
authenticate.
If you take the tack that you have succeeded if you establish a 
connection to the MX, then the failure to authenticate should be a 
show-stopper and going on to the next MX should not be done.
OTOH, if you regard the failure to authenticate as a failure to 
connect (ie: As if the attempt to connect to the MX itself failed), 
then running the MX chain until all MXs are checked or you get one 
where there is no failure to authenticate, then keep checking.
IOW: When do you regard the connection as successful - When the MX 
responds or when you succeed in doing an authentication of the MX's 
certificate (and thus have established a secure session/connection)?