dovecot - May 2010 - disable plaintext auth ... only for some addresses

I'd like to disable plaintext authentication (e.g. only allow authentication
that does STARTTLS or connects on SSL/TLS only ports) only for certain
(most) IP addresses.  I want to exempt a few addresses (users coming over
known VPNs).

Fortunately, all this is coming in over a firewall (Sonicwall) in which I
can NAT traffic by IP address to go to specific port numbers.  So, if I can
establish a different disable_plaintext_auth policy by port number (for
extra port numbers I'll choose later), that would let me accomplish this.

If I cannot do this, then my only alternative is making the SSL/TLS only
ports the only ones open to the internet, and use the non-SSL/TLS ports only
for the VPNs (with disable_plaintext_auth = no).  But I read somewhere that
this is discouraged.  What say ye?