I'd say "especially for connections crossing not-secured network". mails within LAN/DMZ should be safe unencrypted, unless you have reason not to trust the network or someone on it.
that's one choice. some prefer to consider a Zero Trust policy e.g., see https://en.wikipedia.org/wiki/Zero_trust_security_model &, https://www.microsoft.com/en-us/security/business/zero-trust#office-ContentAreaHeadingTemplate-ig3jspu Zero Trust defined Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time. for my own usage, every transit between services is SSL/TLS-wrapped -- local, or not. overkill? that's another choice.
