On Tue, 22 Aug 2017, Aki Tuomi wrote: > else (NOT LOCALHOST) and you can see it says LOGINDISABLED unless you > have enabled something like cram-md5.
Hi, exactly, this is the reason, why plain-text is still needed. You don't need encryption for authentication, if you have secure authentication. Without knowing original password, the MITM cannot generate correct hash for login, so the connection can be plain-text. Of cource, if you then download your emails, the MITM can still read these emails too, if these emails are plain-text (not encrypted using e.g. SMIME or GPG). But he cannot misuse your login. Regards, Robert Wolf.
