Marcus Rueckert wrote:

...

What am I missing? dovecot -n output would help.

It would, but I found/fixed the problem already.

I had to set the following:

protocol imap { disable_plaintext_auth=no }

The default has changed from "no" to "yes" between 1.1.20 and 2.0.1, but the conversion routine didn't pick it up (the wiki Documentation suggests the default is still "no". Perhaps this should be updated?)

This still requires TLS on port 993, so there's no additional hole opened.

Ironically, we published plans some time back to disable local-access plaintext imap logins in October and have been warning users to change their settings but 90% of them hadn't yet done so.