--- a/src/imap-login/imap-login-client.h	Tue Jan 19 20:45:27 2016 +0200
+++ b/src/imap-login/imap-login-client.h	Tue Jan 19 23:47:08 2016 +0200
@@ -36,6 +36,7 @@
 
 	unsigned int cmd_finished:1;
 	unsigned int proxy_sasl_ir:1;
+	unsigned int proxy_logindisabled:1;
 	unsigned int proxy_seen_banner:1;
 	unsigned int skip_line:1;
 	unsigned int id_logged:1;

--- a/src/imap-login/imap-proxy.c	Tue Jan 19 20:45:27 2016 +0200
+++ b/src/imap-login/imap-proxy.c	Tue Jan 19 23:47:08 2016 +0200
@@ -81,6 +81,12 @@
 
 	if (client->common.proxy_mech == NULL) {
 		/* logging in normally - use LOGIN command */
+		if (client->proxy_logindisabled &&
+		    login_proxy_get_ssl_flags(client->common.login_proxy) == 0) {
+			client_log_err(&client->common,
+				"proxy: Remote advertised LOGINDISABLED and SSL/TLS not enabled");
+			return -1;
+		}
 		str_append(str, "L LOGIN ");
 		imap_append_string(str, client->common.proxy_user);
 		str_append_c(str, ' ');
@@ -143,6 +149,8 @@
 			proxy_write_id(client, str);
 		if (str_array_icase_find(capabilities, "SASL-IR"))
 			client->proxy_sasl_ir = TRUE;
+		if (str_array_icase_find(capabilities, "LOGINDISABLED"))
+			client->proxy_logindisabled = TRUE;
 		i_free(client->proxy_backend_capability);
 		client->proxy_backend_capability =
 			i_strdup(t_strcut(line + 5 + 12, ']'));
@@ -374,6 +382,7 @@
 	struct imap_client *imap_client = (struct imap_client *)client;
 
 	imap_client->proxy_sasl_ir = FALSE;
+	imap_client->proxy_logindisabled = FALSE;
 	imap_client->proxy_seen_banner = FALSE;
 	imap_client->proxy_capability_request_sent = FALSE;
 	client->proxy_state = IMAP_PROXY_STATE_NONE;