On Sat, Jan 28, 2012, Peter Fraser wrote: > It would have been nice if sendmail falls back to a none TLS connection if the > handshake occurs.
See the RFC about STARTTLS why this isn't possible within a single session. Hence the MTA would have to "remember" that TLS failed before and not try it in a subsequent session. That's not exactly trivial with sm8: the information has to be stored somewhere, there has to be some decision which kind of errors actually cause avoiding TLS, how often an error should occur before doing so, when an error condition should "time out", etc. All of this has to work together with any TLS related requirements specified in the access map and other delivery decisions.
