It seems I misremebered, post-STARTTLS renegotiation is not subjected to anvil rate limits. I'd need to find the right OpenSSL callback to hook into the server processing of client TLS HELLO requests and turn them down if the rate is too high. This is not presently implemented.
Maybe it would be helpful to have an switch off option. The google mailrelays do not accept renegotiation requests either. The meaning of bit-mask 0x40000000 is not clear without documentation. Thank you very much.
