is TLS/SSL selection/connection ONLY via port 993?

[OpenMacNews]

hi all,
on a MacOSX 10.3.6 sys with:
   cyrus-imap 2.2.8
   cyrus-sasl 2.1.20
i've a canoncial server:
  testserver.internal.testdomain.com
and a virtual domain:
  mail2.internal.testdomain.com
i'm currently auth'ing PLAINTEXT via auxprop+sql (MySQL 4.1.7)
i've setup cyrus.conf to LISTEN *only* on the imaps svc (port 993)
   ...
   SERVICES {
#       imap          cmd="imapd" listen="imap" prefork=0
        imaps              cmd="imapd -s" listen="imaps" prefork=0
   ...
and, imapd.conf to include:
   ...
   sasl_mech_list: PLAIN LOGIN
   sasl_password_format: crypt
   sasl_minimum_layer: 0
   sasl_maximum_layer: 1024
   ...
   tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
   tls_require_cert: 0
   tls_session_timeout: 60
   ...
using my imap client (mulberry), i can successfully login to an account, 
'testuser' in the virtual domain, with server == 
mail2.internal.testdomain.com:993 and security == SSLv3.

however, if i instead login to with server == mail2.internal.testdomain.com:993 
and security == STARTTLS-TLSv1, no connection occurs, and the attempt times out 
after the tls_session_timeout (60 seconds).

if i then drop back to listen ONLY on imap service, i.e. cyrus.conf:
   ...
   SERVICES {
        imap          cmd="imapd" listen="imap" prefork=0
#       imaps              cmd="imapd -s" listen="imaps" prefork=0
   ...
i can successfully make connections to port server:143 with security == NO 
SECURITY !!or!! security == STARTTLS-TLSv1 !!or!! security == SSLv3.  i.e., TLS 
negotiated sessions are occuring over to port 143 -- the 'wrong' port.

bottom line:
   client to server:143, security = NO SECURITY           --> OK (right)
   client to server:143, security = SSLv3, STARTTLS-TLSv1 --> OK (wrong)
   client to server:993, security = NO SECURITY           --> NO CONNECTION 
(right)
   client to server:993, security = SSLv3                 --> OK (right)
   client to server:993, security = STARTTLS-TLSv1        --> NO CONNECTION 
(wrong)

#####################
## QUESTION
   i don't think this is right, is it?  aren't TLS & SSL sessions ONLY 
supposed to connect to port 993, and sessions with no-security ONLY to port 143?

or, have i misunderstood how this is supposed to operate?
threads here:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&msg=19483
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg02411.html
have me suspecting this may be the client ...
thanks,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html