+1 for what echoDreamz and John Marx said. There are too many mail servers on the 'net that either use TLS 1.0 or no encryption at all. We had to make a choice between forcing the higher level of security of TLS 1.2 only, or retaining backwards compatibility with older mail systems.
Our decision was based on these conclusions:
- Newer mail systems (and mail clients) will connect with TLS 1.2 for best security. (Well, the best security option we have until Microsoft gets its butt in gear and gives us TLS 1.3 support.)
- Older mail systems that only support TLS 1.0/1.1 will still be able to connect with us. Even though it's less secure, it's still better than no encryption at all against the casual snooper.
- And we still permit unencrypted sessions so Fred Flintstone can talk with us. Anyone who is genuinely concerned about security should perform their due diligence and discuss security with their current mail hosting provider. They can switch if that provider falls short.
We did, however, remove all support for SSL 2.0/3.0 because it's just too old.
Our philosophy is, we offer TLS 1.2 for anyone who wants it. But we will not "break" connections (yet) for those who aren't at that level.
Running a mail server is an exercise in compromise for most service providers. Email should never be relied upon as a completely secure method of communication, unless you're using full end-to-end security such as with the ZIX plug-in, or similar.
(Wouldn't it be great if SmarterTools released an envelope encryption plug-in that worked with the major mail clients?)