SMTP uses _opportunistic_ encryption. It fails open.* This has the unfortunate consequence that strengthening the encryption often means to actually use no encryption at all. ☹ The client mta attempts to negotiate TLS1.2, is unable to and ends up sending the email in plaintext, when it could have been sent using TLS1.0 with a weaker algorithm, vulnerable to some advanced cryptographic attacks, or in some cases with an active MITM (which it wouldn't detect anyway, since client's don't bother verify the certificate*).
It would have been preferable to let that go through even with a weaker encryption. Of course, it could still be marked to the user as not (properly) encrypted, a broken lock or whatever way you may convey that to your users. If you do that, most providers don't report that in any way, and users stay in their blissful ignorance (in which they are probably happier, too). Happy and safe 2021 to everyone * I'm ignoring the population forcing encryption or implementing MTA- STS. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
