[devereaux]

Yes, because SSL is optional on port 25 and 487.

But you can chose to disregard the RFCs and disallow servers that will not encrypt to send you any mail. No downgrade attack then. It requires some manual changes. It may cause you to not receive email from some servers.

You can also only accept mail on port 465, which in practice is used for SMTP over SSL. You will receive even less mails.

Cf another reply I made today about that: https://news.ycombinator.com/item?id=17397500

[belorn]

465 used to be deprecated since 1998 when STARTTLS was created, and it was only kept in use since older Microsoft applications (including Entourage v10.0 and its successor, Outlook for Mac 2011) did not support STARTTLS.

However in January this year, the proposed RFC 8314 reinstate the registration of port 465 for implicitly encrypted mail submission. I think it is a bit early to close down port 25, but a great idea to make sure 465 is correctly configured if it isn't already.