How about the following for mandatory to implement: Servers must implement TLS, SASL GSS Kerberos V5, and CRAM-MD5/digest auth. Clients must implement one of these three protocols. How do you ensure that governments will allow these servers to be sold to customers? -- John Haxby OpenMail R&D