Comment 46 for bug 24220

AFAIK, "StartTLS if available" is there for the user who simply doesn't
know if his server supports it or not, but wants to use it if so.
It simply is more convenient that forcing the user to set startTLS,
try it, and then set something else if that doesn't work.

That pref setting isn't very secure, because it's not difficult for an
attacker to fool the client into believing that the server does not
support StartTLS, even when it does. So, a better name might be
"StartTLS unless I'm being MITMed" :)

I think a reasonable way to implement StartTLS-if-available is to have
the network code change it after the first successful authentication.
If StartTLS worked, then change the pref from "StartTLS-if-available"
to "StartTLS always". If StartTLS didn't work, then change the pref to
"No TLS" (or whatever it is called). It then becomes a one-shot setting,
and means "probe to see if StartTLS works, and permanently select it if so."
I'd suggest you do that, and leave it in the UI. Let users set that pref,
if they don't know, but change the pref once the answer is known.

If you take that choice away (from the UI), users will complain. I hate it
when a product that I've been using for years is changed in a way that
removes functionality that (I think) I depend on, and I'll bet other users
feel that way too. But it doesn't have to remain the insecure implementation
that it has now. That's my $0.02