For reference: if you put ssl=yes there, the TLS layer is established
immediately. However, the standard ManageSieve protocol does not support
that (not currently anyway): only the establishment of the TLS layer
using the STARTTLS command is part of the standard. That is why your
clients fail to connect: they're speaking plaintext while the server is
speaking TLS. Still, Dovecot supports configuring it that way, which is
what you did.
Regards,
Stephan.
I'm just surprised that ssl=yes leads to STARTTLS being disabled, as per
the wiki [1]:
> ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the
> client, but the client isn't required to use it. [...]
>
> ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the
> client, but the client isn't required to use it. [...]
>
> ssl=required: SSL/TLS is always required [...]. Any attempt to
> authenticate before SSL/TLS is enabled will cause an authentication
> failure.
Maybe this bit needs to be clarified a bit? I think I've read that page
a few times and it still didn't occur to me that this could be a problem.
Best regards,
--Dominik
[1]: https://wiki.dovecot.org/SSL/DovecotConfiguration
