diff --git a/INSTALL b/INSTALL
index a99f1078044..9b6c04f079e 100644
--- a/INSTALL
+++ b/INSTALL
@@ -265,17 +265,14 @@ uses the GNU Mailutils 'movemail' program to retrieve mail.  Otherwise
 the Emacs build procedure builds and installs an auxiliary 'movemail'
 program, a limited and insecure substitute that Emacs can use when
 Mailutils is not installed; when this happens, there are several
-configure options such as --without-pop that provide fine-grained
+configure options such as --with-mail-unlink that provide fine-grained
 control over Emacs 'movemail' construction.
 
 The Emacs mail reader RMAIL is configured to be able to read mail from
 a POP3 server by default.  Versions of the POP protocol older than
 POP3 are not supported.  While POP3 support is typically enabled,
 whether Emacs actually uses POP3 is controlled by individual users;
-see the Rmail chapter of the Emacs manual.  Unless you configure
---with-mailutils, it is a good idea to configure --without-pop so that
-users are less likely to inadvertently read email via insecure
-channels.
+see the Rmail chapter of the Emacs manual.
 
 For image support you may have to download, build, and install the
 appropriate image support libraries for image types other than XBM and
diff --git a/configure.ac b/configure.ac
index 833aaa5eb27..83071e619b0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -229,19 +229,17 @@ AC_DEFUN([OPTION_DEFAULT_ON], [dnl
    m4_bpatsubst([with_$1], [[^0-9a-z]], [_])=$with_features])dnl
 ])dnl
 
-# FIXME: The default options '--without-mailutils --with-pop' result
-# in a movemail implementation that supports only unencrypted POP3
-# connections.  Encrypted connections should be the default.
-
 OPTION_DEFAULT_OFF([mailutils],
-  [rely on GNU Mailutils being installed; this makes the options
-   --without-pop through --with-mailhost irrelevant])
+  [rely on GNU Mailutils being installed, so that --with-pop through
+   --with-mailhost are irrelevant])
 if test "$with_mailutils" = no; then
   with_mailutils=
 fi
 AC_SUBST([with_mailutils])
 
-OPTION_DEFAULT_ON([pop],[don't support POP mail retrieval with movemail])
+OPTION_DEFAULT_OFF([pop],
+  [support POP mail retrieval with movemail (not recommended, as its
+   email retrieval is unencrypted)])
 if test "$with_pop" = yes; then
    AC_DEFINE(MAIL_USE_POP)
 fi
@@ -5482,15 +5480,11 @@ fi
 
 AC_OUTPUT
 
-if test ! "$with_mailutils"; then
+if test ! "$with_mailutils" && test "$with_pop" = yes; then
   case $opsys in
     cygwin | mingw32)
       # Don't suggest GNU Mailutils, as it hasn't been ported.
-      if test "$with_pop" = yes; then
-	emacs_fix_movemail="use '$0 --without-pop'"
-      else
-	emacs_fix_movemail=
-      fi;;
+      emacs_fix_movemail="use '$0' (without '--with-pop')";;
     *)
       emacs_fix_movemail="use '$0 --with-mailutils'"
       case `(movemail --version) 2>/dev/null` in
@@ -5500,14 +5494,9 @@ if test ! "$with_mailutils"; then
       esac;;
   esac
 
-  if test "$with_pop" = yes; then
-    AC_MSG_WARN([This configuration installs a 'movemail' program
-that retrieves POP3 email via only insecure channels.
-To fix this you can $emacs_fix_movemail.])
-  elif test "$emacs_fix_movemail"; then
-    AC_MSG_NOTICE([This configuration installs a 'movemail' program that cannot
-retrieve POP3 email.  You might want to $emacs_fix_movemail.])
-  fi
+  AC_MSG_WARN([This configuration installs a 'movemail' program
+that retrieves POP3 email via only unencrypted channels.
+To avoid the problem you can $emacs_fix_movemail.])
 fi
 
 test "$MAKE" = make || AC_MSG_NOTICE([Now you can run '$MAKE'.])
diff --git a/etc/NEWS b/etc/NEWS
index cd98f533998..bf50d1a3eec 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -32,9 +32,15 @@ version 2.6.6 or later.
 
 ** The new option 'configure --with-mailutils' causes Emacs to rely on
 GNU Mailutils 'movemail' to retrieve email.  By default, the Emacs
-build procedure continues to build and install a limited and insecure
-'movemail' substitute.  Although --with-mailutils is recommended, it
-is not yet the default due to backward-compatibility concerns.
+build procedure continues to build and install a limited 'movemail'
+substitute.  Although --with-mailutils is recommended, it is not yet
+the default due to backward-compatibility concerns.
+
+** The option 'configure --without-pop' is now the default.
+(This option's setting matters only if --with-mailutils is not used.)
+Using --with-pop (the previous default) preserves the historical
+behavior where Emacs 'movemail' retrieves network email only via
+unencrypted channels.
 
 ** The new option 'configure --enable-gcc-warnings=warn-only' causes
 GCC to issue warnings without stopping the build.  This behavior is