Description Sönke Schwardt-Krummrich 2015-07-01 10:02:08 CEST

Please check if plaintext authentication without encrypted connection is disallowed by default and may be configured via UCR for dovecot and cyrus.

+++ This bug was initially created as a clone of Bug #38500 +++

In our Cyrus imapd.conf UCR template the values for "allowplaintext" and "sasl_mech_list" are hard coded.  In order to disallow plain text passwords over non-TLS connections these two options should be set to the following values:
allowplaintext: no (currently yes)
sasl_mech_list: PLAIN (currently the same value)

man 5 imapd.conf reads as follows:
If you only list plaintext authentication mechanisms in ``sasl_mech_list'' and set ``allowplaintext: no'', only users on encrypted sessions (TLS or SSL) will be able to authenticate. On the other hand, if  you  list no plaintext authentication options in ``sasl_mech_list'', ``allowplaintext: yes'' would have no effect.