There is no such thing as an "authenticated port"
I'm sorry, but IMHO there is no such thing as an "authenticated port". There are ports which are defined to be used only (or at least to start) to communicate in plain text (as 25). Others are defined to be used only to perform encrypted communication (see SMTPS - Wikipedia, the free encyclopedia to learn if 465 is really one of those)
Originally Posted by quanah
But plain text or encrypted communication has nothing to do with authentication. To cite http://en.wikipedia.org/wiki/Authentication: "Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person [...]"
Encrypted communication is very useful to perform authentication, because it prevents fraudulent changes in the communication (like e.g. Man-in-the-middle attacks) or eavesdropping of the identification credentials.
So, if Zimbra states, it closes a loophole by urging authentication if using encrypted communication on 465, the same must apply to the use of port 25 together with STARTTLS, but that's not the case (in 8.0.3).
Using authentication for SMTP to protect the server to be abused as spam entry point is a good idea. But that would mean, that all entry points should be protected by authentication, not just those which are using encrypted communication.
And if a Zimbra admin decides to allow unauthenticated SMTP delivery (because e.g. the server is only available in a controlled subnet), this should apply to plain text and encrypted communication as well.
Please get to a consistent solution!