On 06/03/2026 01:04 EET Steve Litt via dovecot <dovecot@dovecot.org> wrote:
Hi all,
https://doc.dovecot.org/2.4.2/core/summaries/settings.html , the auth_allow_cleartext section, says "If no, disables the LOGIN command and all other cleartext authentication unless SSL/TLS is used (LOGINDISABLED capability) or the connection is secured (see ssl).
See SSL configuration for more detailed explanation of how this setting interacts with the ssl setting.
This setting replaces the disable_plaintext_auth setting."
I put auth_allow_cleartext = no in my 2.4.2 dovecot.conf, but my Claws-Mail client can still access it, even though there are no key files. I tried putting this setting in several different places: Didn't prevent plain access. I tried switching from 127.0.0.1 to 10.0.2.15, same problem. The following is the output of my dovecot -n command:
Hi, auth_allow_cleartext=no is the default setting.
However, as https://doc.dovecot.org/2.4.2/core/config/ssl.html#secured-connections states, connections from login_trusted_networks or from the host listener itself (in your case 10.0.2.15) are considered trusted, so they are allowed to use plaintext login.
So basically set ssl=required
Aki