Erhm, misunderstanding? I wasn't talking about STARTTLS, but the possibility to control which SMTP AUTH mechnanism will be used.
I took a look at the library and it seems like the library tries to do "the right thing":
# List of authentication methods we support: from preferred to
# less preferred methods. Except for the purpose of testing the weaker
# ones, we prefer stronger methods like CRAM-MD5:
preferred_auths = [AUTH_CRAM_MD5, AUTH_PLAIN, AUTH_LOGIN]
CRAM-MD5 is fine, because the identity sent for authentication goes encrypted over the network. Not so PLAIN or LOGIN. They will only encoded (base64) over the Net.
We should at least mention in the docs that if MM3 sends authentication data over an unsecured network the submission server on the other end SHOULD support CRAM-MD5 or SMTP AUTH MAY be eavesdropped. However if it uses CRAM-MD5, smtplib will do the right (read: secure) thing.