If SMTP authentication with CRAM-MD5 or TLS hadshake fails mail agent downgrades to plain text authentication, allowing active man-in-the-middle attacks.
vulners.com/securityvulns/securityvulns:doc:9951