You're thinking of end clients. This is server to server communication and Fastmail supports STARTTLS of course.

    $ dig mx fastmail.com +short
    10 in1-smtp.messagingengine.com.
    20 in2-smtp.messagingengine.com.

    $ telnet in2-smtp.messagingengine.com. 25
    Trying 82.221.106.241...
    Connected to in2-smtp.messagingengine.com.
    Escape character is '^]'.
    220 tlxc1.messagingengine.com ESMTP . No UCE permitted.
    ehlo my.hostname
    250-tlxc1.messagingengine.com
    250-PIPELINING
    250-SIZE 73000000
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250 8BITMIME

The article is about end clients on residential and/or business lines. There is no reason for client-to-server communication to rely on STARTTLS on port 25.

There's also no reason to discount server-to-server SMTP on residential or business lines. Especially since this is part of the larger net neutrality discussion.

I worked at an ISP and no, net neutrality aside, SMTP on residential is bad bad bad. It should be permitted only at the customer's request, but probably won't fix the fact that their subnet is on a global spam blacklist.

The point of NN is that the ISP shouldn't get to make that decision. Even "allow on request" is very problematic because it's a slippery slope. Many people run SMTP at home mostly to receive mail, because the ISP is legally obligated to retain mail logs for law enforcement etc. (EU data retention law)

Port 465 (SSMTP) is deprecated and the port number has been reassigned. The standard says to use SMTP on port 25 (with STARTTLS) for server-to-server communcation and Submission on port 587 (with STARTTLS) for client mail submission.

But the standard is less secure that what it is meant to replace. How can you replace SSL with optional, third party downgradable encryption?

That's incorrect. Mail submission using SSL on port 465 is no more secure than using STARTTLS on port 587. If my client connects to my server on port 587 and does an EHLO and sees no mention of STARTTLS in the response, or can't negotiate encryption for any other reason, then it will not continue, not authenticate, and not send email. That is normal behaviour for mail clients that have been configred to use encryption. I'm not aware of any mail clients which will automatically downgrade to not use encryption when configured to use encryption.

It's also worth pointing out that if its your mail _server_ then you can also configure similar. My exim setup doesn't even present the user with LOGIN options until after they've started TLS, so even with a bad client its impossible for them to leak their credentials.

Not quite. When the MITM strips out "STARTTLS" from the EHLO response, they could also add "AUTH PLAIN", causing your theoretical "bad client" to attempt authentication.

This is what I was trying to get at. It's silly to even offer plaintext communications in the first place.

We were talking about a theoretical bad client. No client I have ever used to talk to port 587 would behave that way. They would all encrypt or fail. Regardless of if "AUTH PLAIN" was inserted prior to encryption and/or STARTTLS removed.

IPsec, maybe? SSL and TLS always seemed silly to me as a link-level encryption (when no client certificates are used).