Comment 79 for bug 24220

(In reply to comment #69)
> Note that I _still_ don't know whether using "STARTTLS" with the "secure
> authentication" checkbox unchecked is secure in the "disable the use of plain
> text password over unencrypted channels" sense. No one's actually answered
> that question.

Whatever you use with TLS(STARTTLS) is secure since the TLS session is started before authentication is done. In theory it might be possible that the client performs authentication before it does initiate the TLS session but that would be really silly. Some servers enforce STARTTLS by not accepting something else before.