I made some time to work on this today.  Attached is a new patch.  I've incorporated the tests from the existing patches (though I'm doing the infrastructure a bit differently).  PLAIN seems to be a specific case of the general authenticate, so I just have a generalized test.

My fix is slightly different.  I'm changing the _Authenticate class to except either bytes or string as input.  String because that's more natural in Python3, bytes because there might be auth mechanisms that require bytes (since implementations can define 'X' auth mechanisms).

The authentication callback always gets passed the data as bytes, for the same reasons of generality.  So I'd be OK with the idea that the authentication handler always has to return bytes...which would require a different fix in login_cram_md5.

My login_cram_md5 test passes, so I *think* the fix I made there is OK.  However, I'm getting a traceback from SSL about the socket being shut down, which seems to arise from an imaplib.abort resulting from an unexpected 'b''' value.  I'm out of time for working in this right now, so I'm uploading the patch to see if anyone else has time to figure it out.  I'll come back to it as some point but I don't know when.