I'm trying to run the Dovecot Authentication Protocol (port 12345) [1] via SSL. Here is my non-SSL config:

service auth { inet_listener { port = 12345 haproxy = yes } }

Adding ssl=yes to the inner block doesn't seem to change anything, I can't connect via "openssl s_client -connect", for example. I do use SSL for IMAPS, so I know my general SSL configuration is fine and I've got a valid LetsEncrypt cert.

Also, Postfix doesn't appear to offer any configuration in terms of running this protocol via SSL.

Question: Does it even matter? I'm about to run this protocol over untrusted networks. Is it perhaps designed to handle this situation?

I'm using SASL plain authentication. I'm obviously concerned about leaking passwords, but also about leaking usernames and activity logs in general.

[1] https://doc.dovecot.org/3.0/developer_manual/design/auth_protocol/