2

Are there any large, reputable MTAs (like gmail, hotmail, icloud, etc) that will bounce mail or otherwise fail to deliver if the receiving MTA doesn't support STARTTLS?

Put another way, will reputable MTAs generally retry delivery without TLS if an attempt to STARTTLS is unsuccessful?

ATLief
  • 299
  • 2
  • 12
  • I don’t usually run my servers without a valid certificate but I think I have observed that most mailservers will do the upgrade to (start)TLS whenever available and without strict checking of the validity of the certificate.. Even without a valid certificate TLS will still ensure more transport security than an unencrypted connection – HBruijn Nov 24 '18 at 22:45
  • 1
    Nope, everyone is doing opportunistic encryption only. – Michael Hampton Nov 24 '18 at 23:19

1 Answers1

1

No.

Generally they can't do this since still very large majority of mail addresses are handled by non-TLS capable servers.

However some large providers (and the first was Gmail I believe) started "scoring" or "marking" mail received from TLS-incapable servers, and these mail may possibly end up in spam more easily than others.

As for your "putting another way" it doesn't quite work that way, since the servers actully have to announce their capabilities, so if they announce STARTTLS but it's unsuccessful then it's a hard protocol error, and may result a bounce similar to any 5xx (permanent) or persistent 4xx (temporary) errors; for others it is not a question of "success" but support, but I haven't seen disconnects due to non-TLS-support on the few servers I have without it.

grin
  • 284
  • 1
  • 7
  • 1
    I don't think it's a majority which lacks the support. I have seen the Gmail warnings about unencrypted emails. But I have only seen them on rare occasions. I think the reason is that a lot of software supports STARTTLS but if you haven't configured a certificate it will only be supported for outgoing emails not incoming emails. – kasperd Jan 11 '19 at 23:16
  • I may have phrased it wrong; by "non-capable" I have meant a not fully working implementation for any possible reason. I get email from a wide range of sources (from lots of small, independent servers) and I see the red gmail open lock quite often. – grin Jan 13 '19 at 00:01