I'm using Dovecot 2.1.15. I need to require encryption and only secure auth on public addresses, but allow plaintext auth over an unencrypted connection on localhost.

I have so far (excerpts from doveconf -a):

auth_mechanisms = cram-md5 plain disable_plaintext_auth = yes listen = service imap-login { inet_listener imap-local { address = ::1 port = 143 ssl = no } inet_listener imap-pub { address = 2001:db8::1 port = 993 ssl = yes } } service managesieve-login { inet_listener sieve-local { address = ::1 port = 4190 ssl = no } inet_listener sieve-pub { address = 2001:db8::1 port = 4190 ssl = no } }

The ssl option only seems to switch the inet_listener between using a secure socket and using STARTTLS. How do I tell a given inet_listener to do neither? How do I tell a given inet_listener to require STARTTLS before allowing AUTH/SASL?

I would prefer to offer only CRAM-MD5 on the UGA/public ports, and only PLAIN or at least also PLAIN on localhost. I tried adding auth_mechanisms lines to each inet_listener block, but got parse errors. How do I do this?

Dovecot seems to ignore disable_plaintext_auth = yes:

# telnet 2001:db8::1 4190 Trying 2001:db8::1... Connected to host.example.com. Escape character is '^]'. "IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave" "NOTIFY" "mailto" "SASL" "CRAM-MD5 PLAIN" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready."

-- Please reply on list.