From 44a3f9b1bc065b719509ac12e2a6e7416278879b Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Mon, 27 Feb 2023 14:10:43 +0100
Subject: [PATCH] in imapserver, do not advertise STARTTLS if TLS isn't
 configured

---
 imapserver/server.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/imapserver/server.go b/imapserver/server.go
index c7b71a5..f1ff40f 100644
--- a/imapserver/server.go
+++ b/imapserver/server.go
@@ -1291,7 +1291,8 @@ func (c *conn) cmdCapability(tag, cmd string, p *parser) {
 func (c *conn) capabilities() string {
 	caps := serverCapabilities
 	// ../rfc/9051:1238
-	if !c.tls {
+	// We only allow starting without TLS when explicitly configured, in violation of RFC.
+	if !c.tls && c.tlsConfig != nil {
 		caps += " STARTTLS"
 	}
 	if c.tls || c.noRequireSTARTTLS {