> New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256 This cipher can only be used with TLSv1.3, so the dovecot instance does speak TLSv1.3. (You could also verify this by using eopenssl11 instead of openssl from base - don't forget to add -CAfile /etc/ssl/cert.pem).
> 2022-11-16T16:32:02.837Z obsd4321 dovecot: imap-login: Disconnected: > Connection closed: SSL_accept() failed: error:1402610B:SSL > routines:ACCEPT_SR_CLNT_HELLO:wrong version number (no auth attempts in 0 > secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: > SSL_accept() failed: error:1402610B:SSL routines:ACCEPT_SR_CLNT_HELLO:wrong > version number, session=<xxxxxxx> This error can only be hit if the client does not advertise TLSv1.3.