*-login: ssl=required should imply disable_plaintext_auth=yes

diff --git a/src/imap-login/client.c b/src/imap-login/client.c
index 55f38fd2c1e17a50b16ef39bb3e51766054809f7..c5d7097596647913aceb49e0c2feb48b28a6ba8a 100644 (file)
--- a/src/imap-login/client.c
+++ b/src/imap-login/client.c
@@ -12,6 +12,7 @@
 #include "imap-id.h"
 #include "imap-resp-code.h"
 #include "master-service.h"
+#include "master-service-ssl-settings.h"
 #include "master-auth.h"
 #include "client.h"
 #include "client-authenticate.h"
@@ -64,7 +65,8 @@ static const char *get_capability(struct client *client)
 
        if (client_is_tls_enabled(client) && !client->tls)
                str_append(cap_str, " STARTTLS");
-       if (client->set->disable_plaintext_auth && !client->secured)
+       if (!client->secured & (client->set->disable_plaintext_auth ||
+                               strcmp(client->ssl_set->ssl, "required") == 0))
                str_append(cap_str, " LOGINDISABLED");
 
        client_authenticate_get_capabilities(client, cap_str);

diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c
index 485a7d3081c3c85a76aa74e4f3f476d9e6191e9b..99c7f347324f314054813da6d5f4cd668876a85b 100644 (file)
--- a/src/login-common/client-common-auth.c
+++ b/src/login-common/client-common-auth.c
@@ -615,7 +615,8 @@ int client_auth_begin(struct client *client, const char *mech_name,
 
 bool client_check_plaintext_auth(struct client *client, bool pass_sent)
 {
-       if (client->secured || !client->set->disable_plaintext_auth)
+       if (client->secured || (!client->set->disable_plaintext_auth &&
+                               strcmp(client->ssl_set->ssl, "required") != 0))
                return TRUE;
 
        if (client->set->auth_verbose) {