Port 465 doesn't have this problem though as the entire conversation is
encrypted. Assuming the client doesn't accept a bad certificate and
leave themselves open to a MITM attack.
<rhetorical>
Who among us actually pays Verisign (et.al.) for a SSL cert for their
personal MTA?
Besides .. in an anonymous world, how can one really verify the cert
anyway? .. it's not like you can call $recipient and verify the hash.
</rhetorical>
(oh .. and sorry about forgetting to mention the STARTTLS issue via
tcp/25 or /587).