Kolab tends not to offload TLS, nor terminate TLS, on the perimeter, but depending on deployment topology backend IMAP servers to Guam may support only explicit SSL/TLS via STARTTLS rather than implicit SSL/TLS -- in order to potentially provide the client with an option to upgrade the connection's security.
Currently, Guam does not improve the security to the backend server using STARTTLS, should such capability be available (CAPABILITY response from initial backend connection), while it should (opportunistically) unless explicitly configured otherwise ({ tls, false }).
NOTE: Guam should assume that the validation to the IMAP backend server passes successfully and without error, meaning that self-signed certificates and other such amateur-hour ventures should cause the connection to fail.