It's also worth pointing out that if its your mail _server_ then you can also configure similar.
My exim setup doesn't even present the user with LOGIN options until after they've started TLS, so even with a bad client its impossible for them to leak their credentials.
Not quite. When the MITM strips out "STARTTLS" from the EHLO response, they could also add "AUTH PLAIN", causing your theoretical "bad client" to attempt authentication.
We were talking about a theoretical bad client. No client I have ever used to talk to port 587 would behave that way. They would all encrypt or fail. Regardless of if "AUTH PLAIN" was inserted prior to encryption and/or STARTTLS removed.
