I've found the options which control this and made some changes to support both varieties. On my system I can now use either port 465 or 587 for gmail and my own email accounts. At present I'm assuming that port 25 is unencrypted, port 465 is full SSL, and all other ports are StartTLS. Are these reasonable assumptions, or do I need to give the user the option to choose the SSL/TLS type explicitly?
both port 25 and 587 are typically optional unencrypted or starttls. Please dont lock down 25 to no encryption only. The reason 587 exists is that some isp's block outgoing connections to port 25 to prevent spam, so port 587 is for those people so they have an alternate port. Port 465 is implicit ssl only and is considered obsolete but some providers still allow it for older clients.
Its also possible some providers enforce encryption in which case port 25 and 587 would be starttls only.
So
25 and 587 - plain and starttls
465 - implicit ssl
I suggest disabling the sslv3 protocol, leaving tls 1, tls 1.1, and tls 1.2 enabled.
You not going to get all 3 ports working for everyone as different providers have different configurations, but if you do as I suggested then at least one port will work for people. e.g. d2d4j confirmed he doesnt support 465, but 25 and 587 would likely work on his servers.
I think allowing the tls mode to be configurable is a good idea, no need to make it over complex, I would force 465 to be implicit ssl only. But for 25 and 587 allow choice of starttls or plain. All 3 ports disable sslv3.