On 2025-02-12, Steven Varco via dovecot <dovecot@dovecot.org> wrote:
Dovecot is an international software with many users living outside of the EU and are therefore not legislated to those braindead EU regulations.
btw, (like some of the USA's tax stuff) the UK and EU GDPR legislations are extra-territorial. They apply if you provide services to users in those areas, even if you're not in those areas yourself.
still, from what Rupert posted:
"the client sends the password in plain text (tls tunneled)"
...I find it hard to believe that using a TLS channel wouldn't be considered good enough for sending login information. Surely a salted hashed password database (who isn't using that anyway?) with disable_plaintext_auth would be acceptable.
(If you want to open a can of worms, consider the contents of the emails themselves, which are often much more sensitive than the passwords...)