After upgrading to Fedora 15 from Fedora 13, I find that the insecure non-SSL pop3 and imap protocols have been enabled — with PLAIN auth! My old config had these insecure protocols disabled, and the default installation should have them disabled too.
I'll change it in Fedora 16 and rawhide. I don't want to break F15 installations.
I understand the reticence but I'm not sure there are many people who would consider that 'breakage'. I would ask that you reconsider, and *do* disable the unencrypted logins for Fedora 15. Or failing that, is there at least a way to disable plain-text auth mechanisms lile PLAIN when you're on an unencrypted connection, and only accept things like CRAM-MD5 that don't give the password away? Logging in over an unencrypted protocol with a plain-text password is *such* a broken thing that I would want a big shouty warning (like the one that sudo sends in email when a non-sudoer tries) if it ever happens.
I understand your concerns, but it could break existing setups. Fixing this in released distro is too difficult. Also using more "advanced" configuration can cause even bigger breakage, because dovecot.conf is split in several files. If we change 2 files foo.cfg and bar.cfg where user changed bar.cfg he gets only half of the changes, because config file is updated only if user did not change it. So we can break it easily and can't guarantee that user gets required changes. So I'm not going to change anything in Fedora 15, sorry.
dovecot-2.0.14-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/dovecot-2.0.14-2.fc16
Package dovecot-2.0.14-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dovecot-2.0.14-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/dovecot-2.0.14-2.fc16 then log in and leave karma (feedback).
dovecot-2.0.15-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/dovecot-2.0.15-1.fc15
dovecot-2.0.15-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/dovecot-2.0.15-1.fc14
dovecot-2.0.15-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/dovecot-2.0.15-1.fc16
dovecot-2.0.15-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-2.0.15-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-2.0.15-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.