We have a need to ensure that a connection is secured (by STARTTLS in our case,
maybe in the general case legacy SSL is also acceptable.)
One possibility (the one we've implemented locally but for SMTP+STARTTLS only)
is to have new system properties like mail.smtp.starttls.required=true which
makes a connection fail if it can't start TLS after connecting.