If you’re like me, you’re seeing more and more requests to disable plaintext authentication without encryption for POP and IMAP due to the higher number of people going for PCI compliance.
Fortunately, in Dovecot, this is very easy to configure. The setting you want to use is:
disable_plaintext_auth = yes
This can be found in /etc/dovecot/conf.d/10-auth.conf on newer Dovecot installs:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you’re connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes
Restart the service after uncommenting the directive out, and you’re golden.
Edit: The conf.d/ folder seems to have appeared with Dovecot 2.x versions. If you’re using Dovecot 1.x, you should be able to plug the line into your /etc/dovecot.conf file without issue.