[mandarg]

Note that mail sent this way is "in the clear" and can be used for passive monitoring.

I wonder if the Great Firewall allows clients to do opportunistic STARTTLS or if it modifies the server response to indicate TLS as being unavailable.

[girzel]

I've noticed that the firewall really doesn't like TLS connections. It doesn't block them outright, but it does slow the traffic, and periodically break the connection. Basically they just try to interfere with it enough that you don't bother.

I run mail servers (based in the US) for my company (based in China). My employees don't understand why I make them use these email accounts that time out every twenty minutes or so, or drop connections randomly. I've explained why we do it this way, and they understand the security, but still don't really get why I bother.