Kolab tends not to offload TLS, nor terminate TLS, on the perimeter, but depending on deployment topology backend IMAP servers to #guam may support only explicit SSL/TLS via `STARTTLS` rather than implicit SSL/TLS -- in order to potentially provide the client with an option to upgrade the connection's security.
Currently, #guam does not improve the security to the backend server using `STARTTLS`, should such capability be available (`CAPABILITY` response from initial backend connection), while it should (opportunistically) unless explicitly configured otherwise (`{ tls, false }`).
NOTE: #guam should assume that the validation to the IMAP backend server passes successfully and without error, meaning that self-signed certificates and other such amateur-hour ventures should cause the connection to fail.