diff --git a/aiosmtpd/docs/NEWS.rst b/aiosmtpd/docs/NEWS.rst
index 7cc773c6..e0b2281f 100644
--- a/aiosmtpd/docs/NEWS.rst
+++ b/aiosmtpd/docs/NEWS.rst
@@ -4,6 +4,10 @@
 
 .. towncrier release notes start
 
+1.4.6 (2024-05-06)
+==================
+
+* STARTTLS is now fully enforced if used.
 
 1.4.5 (2024-03-02)
 ==================
diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py
index c6605a56..3b85fcfb 100644
--- a/aiosmtpd/smtp.py
+++ b/aiosmtpd/smtp.py
@@ -504,6 +504,9 @@ def connection_made(self, transport: asyncio.BaseTransport) -> None:
             self._reader._transport = transport  # type: ignore[attr-defined]
             self._writer._transport = transport  # type: ignore[attr-defined]
             self.transport = transport
+            # Discard any leftover unencrypted data
+            # See https://tools.ietf.org/html/rfc3207#page-7
+            self._reader._buffer.clear()  # type: ignore[attr-defined]
             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
             # _extra a protected attribute?
             assert self._tls_protocol is not None