[Dovecot] Dovecot not obeying disable_plaintext_auth = yes and how to force/disable encryption

[Darren Pilgrim]

I'm using Dovecot 2.1.15.  I need to require encryption and only secure 
auth on public addresses, but allow plaintext auth over an unencrypted 
connection on localhost.

I have so far (excerpts from `doveconf -a`):

auth_mechanisms = cram-md5 plain
disable_plaintext_auth = yes
listen =
service imap-login {
   inet_listener imap-local {
     address = ::1
     port = 143
     ssl = no
   }
   inet_listener imap-pub {
     address = 2001:db8::1
     port = 993
     ssl = yes
   }
}
service managesieve-login {
   inet_listener sieve-local {
     address = ::1
     port = 4190
     ssl = no
   }
   inet_listener sieve-pub {
     address = 2001:db8::1
     port = 4190
     ssl = no
   }
}

The ssl option only seems to switch the inet_listener between using a 
secure socket and using STARTTLS.  How do I tell a given inet_listener 
to do neither?  How do I tell a given inet_listener to require STARTTLS 
before allowing AUTH/SASL?

I would prefer to offer only CRAM-MD5 on the UGA/public ports, and only 
PLAIN or at least also PLAIN on localhost.  I tried adding 
auth_mechanisms lines to each inet_listener block, but got parse errors. 
  How do I do this?

Dovecot seems to ignore disable_plaintext_auth = yes:

# telnet 2001:db8::1 4190
Trying 2001:db8::1...
Connected to host.example.com.
Escape character is '^]'.
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation subaddress 
comparator-i;ascii-numeric relational regex imap4flags copy include 
variables body enotify environment mailbox date ihave"
"NOTIFY" "mailto"
"SASL" "CRAM-MD5 PLAIN"
"STARTTLS"
"VERSION" "1.0"
OK "Dovecot ready."

-- 
Please reply on list.