Can ssl=required be forced on per user setting?

Right now I could modify password_query to check if %c (%{secured}) is empty and return appropriate error as "reason" like in

https://doc.dovecot.org/configuration_manual/authentication/nologin/#authent...

example.

Unfortunately password_query is a bit too late.

I would like to deny access as soon as possible, so just after user sends his login.

(that won't help much in cases when client sends password early like "AUTH PLAIN b64loginpass" but will help in all other cases)

user_query doesn't have this capability that password_query it seems.

-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )