--- a/src/imap-login/client.c	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/imap-login/client.c	Tue Jul 17 15:28:24 2012 +0300
@@ -62,7 +62,7 @@
 		str_append(cap_str, imap_client->set->imap_capability + 1);
 	}
 
-	if (ssl_initialized && !client->tls)
+	if (client_is_tls_enabled(client) && !client->tls)
 		str_append(cap_str, " STARTTLS");
 	if (client->set->disable_plaintext_auth && !client->secured)
 		str_append(cap_str, " LOGINDISABLED");

--- a/src/login-common/client-common.c	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/login-common/client-common.c	Tue Jul 17 15:28:24 2012 +0300
@@ -346,7 +346,7 @@
 		return;
 	}
 
-	if (!ssl_initialized) {
+	if (!client_is_tls_enabled(client)) {
 		client_send_line(client, CLIENT_CMD_REPLY_BAD,
 				 "TLS support isn't enabled.");
 		return;
@@ -591,6 +591,11 @@
 	return FALSE;
 }
 
+bool client_is_tls_enabled(struct client *client)
+{
+	return ssl_initialized && strcmp(client->set->ssl, "no") != 0;
+}
+
 const char *client_get_extra_disconnect_reason(struct client *client)
 {
 	unsigned int auth_secs = client->auth_first_started == 0 ? 0 :

--- a/src/login-common/client-common.h	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/login-common/client-common.h	Tue Jul 17 15:28:24 2012 +0300
@@ -168,6 +168,7 @@
 const char *client_get_extra_disconnect_reason(struct client *client);
 bool client_is_trusted(struct client *client);
 void client_auth_failed(struct client *client);
+bool client_is_tls_enabled(struct client *client);
 const char *client_get_session_id(struct client *client);
 
 bool client_read(struct client *client);

--- a/src/pop3-login/client-authenticate.c	Tue Jul 17 15:21:32 2012 +0300
+++ b/src/pop3-login/client-authenticate.c	Tue Jul 17 15:28:24 2012 +0300
@@ -33,7 +33,7 @@
 	str_append(str, "+OK\r\n");
 	str_append(str, capability_string);
 
-	if (ssl_initialized && !client->common.tls)
+	if (client_is_tls_enabled(&client->common) && !client->common.tls)
 		str_append(str, "STLS\r\n");
 	if (!client->common.set->disable_plaintext_auth ||
 	    client->common.secured)