Bug 2435251

Summary: STARTTLS does not work with cyrus-imapd >=3.8.6 and >=3.10.2
Product: [Fedora] Fedora Reporter: Martin Osvald 🛹 <mosvald>
Component: cyrus-imapdAssignee: Martin Osvald 🛹 <mosvald>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 43CC: fhrdina, jorton, j, mosvald, pavel, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 11:52:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Osvald 🛹 2026-01-29 11:51:57 UTC 
https://bodhi.fedoraproject.org/updates/FEDORA-2026-93c7a550b9
~~~
After the update from cyrus 3.8 I can not connect to the server anymore. Lots of this error in the log: session ended: sessionid=<cyrus-1769669820-6072-1-14846267638718756014> userid=<> id.name=<(null)>

Trying to recreate the account in Thunderbird tells me it does not support TLS. Downgrade to 3.8 fixed the problem instantly .
~~~

Reproducible: Always

Steps to Reproduce:
1. Upgrade cyrus-imapd to >=3.8.6 / >=3.10.2



Additional Information:
This is expected behavior on 3.8.6 / 3.10.2:

https://www.cyrusimap.org/3.10/imap/download/release-notes/3.10/x/3.10.2.html
~~~
The industry is deprecating STARTTLS (aka opportunistic TLS) in favor of implicit TLS over a dedicated port. STARTTLS is now disabled by default.

Installations that need to service clients that use opportunistic TLS should enable the allowstarttls imapd.conf(5) option for the services that need it. For example, for a service configured with the name imap in cyrus.conf(5), set imap_allowstarttls: on to enable STARTTLS.
~~~

The same applies to the 3.8.6 version:

https://www.cyrusimap.org/imap/download/release-notes/3.8/x/3.8.6.html

Fix options

1. Use implicit TLS (recommended):

Configure clients to use IMAPS on port 993 (“SSL/TLS” in Thunderbird) instead of STARTTLS on 143.

2. Re-enable STARTTLS (what your Thunderbird likely expects):

Enable STARTTLS for the relevant service(s) by setting the service-specific option in imapd.conf:

For the service named imap in cyrus.conf, add:

~~~
imap_allowstarttls: on
~~~

There is also the possibility of allowing this globally in /etc/imapd.conf

~~~
allowstarttls: 1
~~~

Cyrus-imapd supports both global and per-service variants.