"Prefer compatibility" forces the "old fashioned" LOGIN (not SASL PLAIN).
Re: I want to force the "LOGIN" mechanism, because at least the password won't be sent in plain text.
Not true. Both "LOGIN" and "SASL PLAIN" send the password as clear text or base64 encoded clear text. Zero security.
Re: Also, is there any documentation as to what the actual algorithms are for "Choose automatically" and "Prefer compatibility", so I can understand which one of these I should select for any given IMAP server I might want to use?
IMAP:
- Prefer compat -> old-fashioned "LOGIN" command
- Automatic -> ask the server (CAPABILITY command) -> SASL PLAIN if available -> SASL MD5 if available -> old-fashoned "LOGIN" as fallback
SMTP:
- Automatic -> ask the server (EHLO command) -> SASL MD5 if the only one advertised by the server -> SASL PLAIN -> SASL LOGIN (which for SMTP is same as "old fashioned" LOGIN)
- And then there is a drop-down to select a specific method
---
The auth method which does *not* send the password, at all, is CRAM-MD5.
The app will use it for IMAP if:
1) the setting is automatic and 2) it's the only advertised login method
... will use it for SMTP if
1) the setting is automatic and 2) it's advertised
OR if
the setting is SASL CRAM-MD5
---
PS - I've got a Dovecot server on Debian Jessie, don't use it much, but never ever had any trouble with logins or SSL/TLS being unreliable... FWIW....
