diff --git a/internal/notification/channels/smtp/channel.go b/internal/notification/channels/smtp/channel.go
index 099bc1d969..5d8542ea3a 100644
--- a/internal/notification/channels/smtp/channel.go
+++ b/internal/notification/channels/smtp/channel.go
@@ -159,7 +159,9 @@ func (smtpConfig SMTP) smtpAuth(client *smtp.Client, host string) error {
 		return nil
 	}
 	// Auth
-	auth := smtp.PlainAuth("", smtpConfig.User, smtpConfig.Password, host)
+	auth := unencryptedAuth{
+		smtp.PlainAuth("", smtpConfig.User, smtpConfig.Password, host),
+	}
 	err := client.Auth(auth)
 	if err != nil {
 		return caos_errs.ThrowInternalf(err, "EMAIL-s9kfs", "could not add smtp auth for user %s", smtpConfig.User)
diff --git a/internal/notification/channels/smtp/plain_auth.go b/internal/notification/channels/smtp/plain_auth.go
new file mode 100644
index 0000000000..76fde3ec8f
--- /dev/null
+++ b/internal/notification/channels/smtp/plain_auth.go
@@ -0,0 +1,22 @@
+package smtp
+
+import (
+	"net/smtp"
+)
+
+type unencryptedAuth struct {
+	smtp.Auth
+}
+
+// PlainAuth returns an Auth that implements the PLAIN authentication
+// mechanism as defined in RFC 4616. The returned Auth uses the given
+// username and password to authenticate to host and act as identity.
+// Usually identity should be the empty string, to act as username.
+//
+// This reimplementation allows it to work over non-TLS connections
+
+func (a unencryptedAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
+	s := *server
+	s.TLS = true
+	return a.Auth.Start(&s)
+}