Related to T2082.
While guam provides its own capability set when receiving a connection via unencrypted IMAP, it passes CAPABILITY commands through to its backend servers and does not alter the response. This results in clients which explicitly ask for capabilities (like python's imaplib) refusing to STARTTLS (because it is not advertised as a capability when the backend server is contacted via implicit TLS) and allowing authentication (because the backend server is happy allowing a client to authenticate via implicit TLS).
$ nc -v mail.example.com imap Connection to mail.example.com (…) 143 port [tcp/imap] succeeded! * OK [CAPABILITY IMAP4rev1 STARTTLS LITERAL+ ID ENABLE SASL-IR LOGINDISABLED] mail.example.com Cyrus IMAP 2.5.15-28-g7d1550bfa-Debian-2.5.15.28-0~kolab1 server ready A001 CAPABILITY^M * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY AUTH=PLAIN AUTH=LOGIN SASL-IR X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE A001 OK Completed