I was just thinking how they could be easily supported. This would work, right? :
imap stream tcp nowait root /usr/sbin/tcpd /usr/local/libexec/dovecot/imap-login imaps stream tcp nowait root /usr/sbin/tcpd /usr/local/libexec/dovecot/imap-login --ssl
imap-login would try to connect to master process using some named socket. If it couldn't, it would create the master process itself. Master process would work as usual (executes auth and imap processes), except it wouldn't be executing login processes.
This wouldn't require much code changing, and it would still be using all the same privilege separations as the standalone version so it would be just a secure.
Only thing I'm wondering is if any of the TCP wrappers care about the created child processes? The master process would have to stay alive after the connection that created it dies.
I guess I'll implement this soon and try if it works.