https://bodhi.fedoraproject.org/updates/FEDORA-2026-93c7a550b9
~~~
After the update from cyrus 3.8 I can not connect to the server anymore. Lots of this error in the log: session ended: sessionid=<cyrus-1769669820-6072-1-14846267638718756014> userid=<> id.name=<(null)>

Trying to recreate the account in Thunderbird tells me it does not support TLS. Downgrade to 3.8 fixed the problem instantly .
~~~

Reproducible: Always

Steps to Reproduce:
1. Upgrade cyrus-imapd to >=3.8.6 / >=3.10.2



Additional Information:
This is expected behavior on 3.8.6 / 3.10.2:

https://www.cyrusimap.org/3.10/imap/download/release-notes/3.10/x/3.10.2.html
~~~
The industry is deprecating STARTTLS (aka opportunistic TLS) in favor of implicit TLS over a dedicated port. STARTTLS is now disabled by default.

Installations that need to service clients that use opportunistic TLS should enable the allowstarttls imapd.conf(5) option for the services that need it. For example, for a service configured with the name imap in cyrus.conf(5), set imap_allowstarttls: on to enable STARTTLS.
~~~

The same applies to the 3.8.6 version:

https://www.cyrusimap.org/imap/download/release-notes/3.8/x/3.8.6.html

Fix options

1. Use implicit TLS (recommended):

Configure clients to use IMAPS on port 993 (“SSL/TLS” in Thunderbird) instead of STARTTLS on 143.

2. Re-enable STARTTLS (what your Thunderbird likely expects):

Enable STARTTLS for the relevant service(s) by setting the service-specific option in imapd.conf:

For the service named imap in cyrus.conf, add:

~~~
imap_allowstarttls: on
~~~

There is also the possibility of allowing this globally in /etc/imapd.conf

~~~
allowstarttls: 1
~~~

Cyrus-imapd supports both global and per-service variants.