> Yes, it allows submit.domain.org to use plaintext for all authentications. > But typically your submit server wouldn't be trying to authenticate as > anything else as the submit user, I think?
> In v1.2 you could also do something similar to this by adding the submit > server's IP to login_trusted_networks. A well-behaved submission server will only authenticate as a submit user. But the intent is to "open the door" as little as possible. If the administrator of the IMAP server disables plain text auth, it's safer to weaken that only for submit user(s) than for an entire network. Anyone on that network would be able to use plain text auth for any user. Consider that the submission server and the IMAP server may be unrelated, under completely different administrative domains. Separate departments of a school or business, for instance, or even different schools or businesses. You would want to allow submit users from any network to connect (securely) and authenticate. But the authentication must be plain-text for submit user(s) even when regular users are forbidden from using it. RFC 4468 section 3.3 requires it: Specifically, this requires that the submit server implement a configuration that uses STARTTLS followed by SASL PLAIN [SASL-PLAIN] to authenticate to the IMAP server.
