Vladislav Kurz via dovecot said on Fri, 6 Mar 2026 09:29:23 +0100
Dne 06. 03. 26 v 0:04 Steve Litt via dovecot napsal(a):
Hi all,
I put auth_allow_cleartext = no in my 2.4.2 dovecot.conf, but my Claws-Mail client can still access it, even though there are no key files. I tried putting this setting in several different places: Didn't prevent plain access. I tried switching from 127.0.0.1 to 10.0.2.15, same problem.
In my experience (dovecot 2.3.13 with disable_plaintext_auth = yes), it allowed plaintext on loopback interface, but not when accessing remotely. This is imho good, so that local webmail can access imap at localhost without wasting cpu cycles on ecnryption.
I have the option near the top of the file, not in any block. E.g. right after listen.
Thanks Vladislav,
First, thanks for the good information about *where* you placed disable_plaintext_auth = yes. I wish the Dovecot docs would consistently do that.
2.4.x has replaced disable_plaintext_auth = yes with auth_allow_cleartext = no , but it doesn't seem to be an exact replacement. Trying on both Localhost and a real address was the first thing I thought of, but with 2.4.2, my results were that auth_allow_cleartext = no placed right after the listen did not prevent plain text access on 10.0.2.15, which is the address of my Qemu VM guest:
[slitt@dovecotvoid ~]$ ip route default via 10.0.2.2 dev ens3 proto dhcp src 10.0.2.15 metric 1002 10.0.2.0/24 dev ens3 proto dhcp scope link src 10.0.2.15 metric 1002 [slitt@dovecotvoid ~]$
If you haven't yet transitioned from 2.3.x to 2.4.x, I'd suggest that you get it running on a test machine before cutting over, because there are some surprises.
SteveT
Steve Litt