SMTP with TLS support provides transparent inband port 25 encryption if advertised in response to EHLO. How cool is that?
Getting started requires having certificates for every host.
You can either pay the big guys lots of money or just set up
your own Root Certificate Authority; I have some tips
on doing that.
sendmail
sendmail supports TLS since 8.11.0.
Installation is easier with 8.12.0, but 8.11.x isn't too hard. Check out
these instructions.
postfix
The postfix TLS patch
[local] I found to be easier to compile and install than sendmail+tls.
qmail
And of course one of the eight billion qmail patches is
for TLS.
I have never installed this one... if I can define a list of hosts to exclude
from TLS sessions (required in the way I use qmail), I probably will at some point.
Microsoft Exchange
Under NT4 TLS is automatically enabled for inbound SMTP when you attach a key to
SMTP in the KeyManager. I'm not entirely sure about how outbound works yet
though... I've seen strange problems between sendmail and Exchange where
the Exchange host will advertise and accept STARTTLS but when it issues the EHLO
and sees STARTTLS advertised, it doesn't make use of it.