TLS doesn't enforce, it just provides the option (unless there is a way to require TLS).
In the normal build, plaintext passwords are not allowed (the USER command is not permitted) until either SSL is in effect or TLS is negotiated.
So, in effect, TLS is required unless you have Kerberos or CRAM-MD5 set up.
-- Mark --
http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum.
