Dovecot with ldap auth_bind only supports plain and login authentication mechanisms.
Since they both use plain text passwords they are only enable on imaps protocol.
This make imap protocol useless since no remaining authentication mechanisms are allowed.

We can use PassordLookups instead, which supports crypt mechanisms.
Cons:

• requires a bind dn with permission to read user password hashes
• may require a different hash format for LDAP password

The old LILiK mail server permits plain text authentication mechanism over imap, which I think is the worst solution.

but auth_bind is preferable, it only returns the user info if the user is found.

I think we should look into encrypting the connection to ldap if we really are that concerned.

Moreover we can configure Dovecot with our CA and to use starttls by upgrading every connection to and encrypted channel. This should kill every kind of not-encrypted plaintext authentication.

Some admins want to require SSL/TLS, but don't realize that this is also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes and ssl=required settings).