This is the important information:
Changes since 3.12.0: (from https://www.cyrusimap.org/dev/imap/download/release-notes/3.12/x/3.12.1.html)
The industry is deprecating STARTTLS (aka opportunistic TLS) in favor of implicit TLS over a dedicated port. STARTTLS is now disabled by default.
Installations that need to service clients that use opportunistic TLS should enable the allowstarttls imapd.conf(5) option for the services that need it. For example, for a service configured with the name imap in cyrus.conf(5), set imap_allowstarttls: on to enable STARTTLS.
Is imap:143 + STARTTLS now considered insecure?
Not immediately, but it's considered more likely to be affected by exploits because there is an unencrypted step before encryption is enabled.
should I reconfigure all mail clients to use imaps instead or imap+STARTTLS?
Ideally yes, but it may not be practical immediately.
This is very small setup and I do not need to support STARTTLS on port 143.
I use the "allowstarttls: on" option in the imapd.conf file to override the default, and allow STARTTLS.
It was not ideal to introduce this in a patch version, but it's easy to work around.
<arl
