> > On Feb 4, 2016, at 11:22 AM, John C Klensin <john-ietf@xxxxxxx> wrote: > > > >> I am quite comfortable at this time with a requirement of > >> better than SSLv3 for SMTP on the public Internet. > > > > Unless there is a fallback to clear text, I am not. > Yes, of course with cleartext transmission in the absence of STARTTLS > support. I had expected that would have been clear from context. That's in no way sufficient. Not only do you have to be willing to do without STARTTLS, you also have to be willing to close the connection and try another in the event that the server offers STARTTLS, the client attempts to use it but the TLS negotiation fails for some reason. I suspect this is the "fallback" John was talking about. Not all SMTP clients offer this capability, and without it you can get into stuck message situations. > The point being that systems that are STARTTLS-capable are at this > point essentially without exception capable of TLSv1 or better. Maybe. But even if this is true, there are other ways for TLS negotiation to fail. (The one that has been the biggest nuisance historically is where TLS is enabled on the server but no certificate is installed, causing all attempts to use TLS to fail unconditionally.) > My statement should have said "requirement of better than SSLv3 to > complete a STARTTLS handshake". I am not suggesting that we've > reached sufficiently broad STARTTLS adoption to make it realistic > to end support for cleartext SMTP. > At https://www.google.com/transparencyreport/saferemail/ > we see a very small positive slope in the percentage of TLS > outbound mail (~2% per year) and no sign of growth in TLS inbound > mail (I'm guessing the bulk email senders don't much care for TLS > and send more traffic on weekdays than weekends). Gmail falls back to cleartext on a new connection when TLS negotiation fails. Ned