diff --git a/src/imap-login/imap-login-client.h b/src/imap-login/imap-login-client.h
index 2a38949c6e..19c8739b93 100644
--- a/src/imap-login/imap-login-client.h
+++ b/src/imap-login/imap-login-client.h
@@ -36,6 +36,7 @@ struct imap_client {
 
 	unsigned int cmd_finished:1;
 	unsigned int proxy_sasl_ir:1;
+	unsigned int proxy_logindisabled:1;
 	unsigned int proxy_seen_banner:1;
 	unsigned int skip_line:1;
 	unsigned int id_logged:1;
diff --git a/src/imap-login/imap-proxy.c b/src/imap-login/imap-proxy.c
index 3b02cb3f93..daeaecd98f 100644
--- a/src/imap-login/imap-proxy.c
+++ b/src/imap-login/imap-proxy.c
@@ -81,6 +81,12 @@ static int proxy_write_login(struct imap_client *client, string_t *str)
 
 	if (client->common.proxy_mech == NULL) {
 		/* logging in normally - use LOGIN command */
+		if (client->proxy_logindisabled &&
+		    login_proxy_get_ssl_flags(client->common.login_proxy) == 0) {
+			client_log_err(&client->common,
+				"proxy: Remote advertised LOGINDISABLED and SSL/TLS not enabled");
+			return -1;
+		}
 		str_append(str, "L LOGIN ");
 		imap_append_string(str, client->common.proxy_user);
 		str_append_c(str, ' ');
@@ -143,6 +149,8 @@ static int proxy_input_banner(struct imap_client *client,
 			proxy_write_id(client, str);
 		if (str_array_icase_find(capabilities, "SASL-IR"))
 			client->proxy_sasl_ir = TRUE;
+		if (str_array_icase_find(capabilities, "LOGINDISABLED"))
+			client->proxy_logindisabled = TRUE;
 		i_free(client->proxy_backend_capability);
 		client->proxy_backend_capability =
 			i_strdup(t_strcut(line + 5 + 12, ']'));
@@ -374,6 +382,7 @@ void imap_proxy_reset(struct client *client)
 	struct imap_client *imap_client = (struct imap_client *)client;
 
 	imap_client->proxy_sasl_ir = FALSE;
+	imap_client->proxy_logindisabled = FALSE;
 	imap_client->proxy_seen_banner = FALSE;
 	imap_client->proxy_capability_request_sent = FALSE;
 	client->proxy_state = IMAP_PROXY_STATE_NONE;