For reference: if you put ssl=yes there, the TLS layer is established immediately. However, the standard ManageSieve protocol does not support that (not currently anyway): only the establishment of the TLS layer using the STARTTLS command is part of the standard. That is why your clients fail to connect: they're speaking plaintext while the server is speaking TLS. Still, Dovecot supports configuring it that way, which is what you did.
Regards,
Stephan.
I'm just surprised that ssl=yes leads to STARTTLS being disabled, as per the wiki 1:
ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. [...]
ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the client, but the client isn't required to use it. [...]
ssl=required: SSL/TLS is always required [...]. Any attempt to authenticate before SSL/TLS is enabled will cause an authentication failure.
Maybe this bit needs to be clarified a bit? I think I've read that page a few times and it still didn't occur to me that this could be a problem.
Best regards, --Dominik