Therefore, Dovecot's plain text default, and the md5 option, are both non-GDPR compliant.
To avoid monetary sanctions, Dovecot ought to change how it stores passwords by default.
Please do not ignore this message.
GDPR is some piece of bull*it regulation made by the EU. Dovecot is an international software with many users living outside of the EU and are therefore not legislated to those braindead EU regulations.
So, after my mandatory rant :D, the DEFAULT setup of dovecot should actually be as simple as possible. One will in almost any case have to adapt the configuration anyway to fit to the environment, specially when dealing with virtual users and so. And it will for sure not go unnoted, if passwords are saved in cleartext, so it can be thought of and adapted accrodingly. There maybe could be a side note in the readme about that, but to me thats the most which should be done. It is not the job of the Dovecot maintainers to try to enforce senseless regulations in some parts of the word.
Having that said, you will also not find any web servers, which encrypts their logs by default, or wordpress, as an example, is also coming without that stupid cookie consent thing by default. You have to install a plugin to annoy your website visitors first. :)
Steven