The values of the username and password do not matter, because my server does not require authentication.
I can tell when TLS is being used or not because I am proxying the connection through ncat so I can watch the full SMTP session. The server responds with 250 STARTTLS but Lucee never sends STARTTLS unless I provide a username and password in the cfmail tag.
I don’t agree that it’s best practice to always use authentication. Lots of internal networks use IP allow-lists rather than authentication.
And it took me a long time to figure out why I could not get TLS to work, then on a whim I just decided to try adding a username and password. So in my opinion, yes it’s a problem. Or at least the documentation should explain that in order to use TLS you must provide dummy credentials. Should I enter a ticket for that? I think I’ve done a PR for a documentation change before, I can figure that out again.