According to this article, "although the PLAIN keyword is used, the username and password are not sent as plain text over the Internet - they are always BASE64 encoded"
However, “One of the drawbacks with using the PLAIN authentication mechanism is that the username and password can be decoded quite easily if someone controls the SMTP connection. For better security, an authentication mechanism called CRAM-MD5 can be used instead "