Essentially, a MITM attack takes place when an attacker replaces or deletes the STARTTLS command to make the secured connection rollback to an unsecured one, without TLS encryption. This is referred to as a downgrade attack. After successfully performing a downgrade attack, the attacker can access and view the email content without hindrances.
A MITM attacker can also replace the MX records in the DNS query response with a mail server that they have access to and are in control of. The mail transfer agent in that case delivers the email to the server of the attacker, enabling him to access and tamper with the email content. The email can subsequently be forwarded to the intended recipient’s server, without being detected. This is known as a DNS spoofing attack.