I'm using Dovecot (1.0.10) locally to test SugarCRM. When I tried to set up a mail account in Sugar, it complains with -- SECURITY PROBLEM: insecure server advertised AUTH=PLAIN Please check your settings and try again. -- don't know if that behaviour is a bug or a feature of php-imap. The case is that I'm unable to set up the mail account in Sugar. Timo answered to me on IRC about Dovecot assuming that a connection from the same ip is considered secured. I'd rebuild Dovecot with the following patch: --- dovecot-1.0.10/src/pop3-login/client.c.orig 2008-01-05 00:44:14.000000000 -0500 +++ dovecot-1.0.10/src/pop3-login/client.c 2008-01-05 00:44:30.000000000 -0500 @@ -331,7 +331,7 @@ client->created = ioloop_time; client->refcount = 1; client->common.tls = ssl; - client->common.secured = ssl || net_ip_compare(ip, local_ip); + client->common.secured = ssl; client->common.local_ip = *local_ip; client->common.ip = *ip; --- but still not able to make it not accept AUTH PLAIN authentication from the same ip. I'm missing something? On the other hand, if I set disable_plaintext_auth to yes I cannot use the classic USER/PASS pop3 verbs. I'm not sure what the POP3 related RFCs mandates with respect to this. Regards, maykel