backport:

- un-document "Host imaps:[...]" syntax and introduce new option UseIMAPS
  instead
- apply ted's patch to support UseIMAPS in conjunction with Tunnel
- document that SSLv2 is No Good (TM)

src/drv_imap.c

@@ -1270,15 +1270,15 @@ imap_open_store( store_conf_t *conf, store_t *oldctx )
 		info( "ok\n" );
 
 		imap->buf.sock.fd = s;
+	}
 
 #if HAVE_LIBSSL
-		if (srvc->use_imaps) {
+	if (srvc->use_imaps) {
-			if (start_tls( ctx ))
+		if (start_tls( ctx ))
-				goto bail;
+			goto bail;
-			use_ssl = 1;
+		use_ssl = 1;
-		}
-#endif
 	}
+#endif
 
 	/* read the greeting string */
 	if (buffer_gets( &imap->buf, &rsp )) {
@@ -1726,6 +1726,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep, int *err )
 
 	while (getcline( cfg ) && cfg->cmd) {
 		if (!strcasecmp( "Host", cfg->cmd )) {
+			/* The imap[s]: syntax is just a backwards compat hack. */
 #if HAVE_LIBSSL
 			if (!memcmp( "imaps:", cfg->val, 6 )) {
 				cfg->val += 6;
@@ -1758,6 +1759,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep, int *err )
 			}
 		} else if (!strcasecmp( "RequireSSL", cfg->cmd ))
 			server->require_ssl = parse_bool( cfg );
+		else if (!strcasecmp( "UseIMAPS", cfg->cmd ))
+			server->use_imaps = parse_bool( cfg );
 		else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
 			server->use_sslv2 = parse_bool( cfg );
 		else if (!strcasecmp( "UseSSLv3", cfg->cmd ))

src/mbsync.1

@@ -210,17 +210,13 @@ The location of the \fBINBOX\fR. This is \fInot\fR relative to \fBPath\fR.
 Define the IMAP4 Account \fIname\fR, opening a section for its parameters.
 ..
 .TP
-\fBHost\fR [\fBimaps:\fR]\fIhost\fR
+\fBHost\fR \fIhost\fR
-Specify the DNS name or IP address of the IMAP server.  If \fIhost\fR is
+Specify the DNS name or IP address of the IMAP server.
-prefixed with \fBimaps:\fR the connection is assumed to be an SSL connection
-to port 993.
-Note that modern servers support SSL on the default port 143 via the
-STARTTLS extension, which will be used automatically by default.
 ..
 .TP
 \fBPort\fR \fIport\fR
-Specify the TCP port number of the IMAP server.  (Default: 143 for imap,
+Specify the TCP port number of the IMAP server.  (Default: 143 for IMAP,
-993 for imaps)
+993 for IMAPS)
 ..
 .TP
 \fBUser\fR \fIusername\fR
@@ -245,6 +241,15 @@ If set to \fIyes\fR, \fBmbsync\fR will abort the connection if no CRAM-MD5
 authentication is possible.  (Default: \fIno\fR)
 ..
 .TP
+\fBUseIMAPS\fR \fIyes\fR|\fIno\fR
+If set to \fIyes\fR, the default for \fBPort\fR is changed to 993 and
+\fBmbsync\fR will start SSL negotiation immediately after establishing
+the connection to the server.
+.br
+Note that modern servers support SSL on the regular IMAP port 143 via the
+STARTTLS extension, which will be used automatically by default.
+..
+.TP
 \fBRequireSSL\fR \fIyes\fR|\fIno\fR
 \fBmbsync\fR will abort the connection if a TLS/SSL session cannot be
 established with the IMAP server.  (Default: \fIyes\fR)
@@ -257,12 +262,14 @@ This option is \fImandatory\fR if SSL is used. See \fBSSL CERTIFICATES\fR below.
 .TP
 \fBUseSSLv2\fR \fIyes\fR|\fIno\fR
 Use SSLv2 for communication with the IMAP server over SSL?
-(Default: \fIyes\fR if an imaps \fBHost\fR is used, otherwise \fIno\fR)
+.br
+Note that this option is deprecated for security reasons.
+(Default: \fIno\fR)
 ..
 .TP
 \fBUseSSLv3\fR \fIyes\fR|\fIno\fR
 Use SSLv3 for communication with the IMAP server over SSL?
-(Default: \fIyes\fR if an imaps \fBHost\fR is used, otherwise \fIno\fR)
+(Default: \fIno\fR)
 ..
 .TP
 \fBUseTLSv1\fR \fIyes\fR|\fIno\fR