even if the server property xmpp.client.tls.policy is set to required, Openfire will offer sasl mechanisms, including plain.
It looks like several bugs here:
first, if tls is required OF should probably not be offering SASL mechanisms until starttls has been negotiated.
Second, if the client still attempts to use SASL over an unencrypted connection (when tls is required), OF should not negotiate (in particular, it should not indicate success for an SASL plain authentication attempt).
Third, OF probably shouldn’t be sending an empty stream:features tag. I would guess that the right thing to do would be to simply offer the starttls feature again – or possibly close the stream.