The STARTTLS option of SMTP is ignored, when "Server requires authentication" is not checked. In this case kmail will send any mail in cleartext.
Created kmail tracking bugs for this issue:
Affects: fedora-all [bug 1995181]
I'll do some more digging but according to the manifest kdepim has been removed from RHEL (since 2019-09-10).
kmail is susceptible to a confidentially leak if "Server requires authentication" not checked in UI.
The issue in a nutshell is this could lead to information not being encrypted that otherwise would be.
analysis is complete, trackers have been filed.