I couldn't find any way to configure manangesieve over a pure TLS connection (no plain connection + STARTTLS command). There should be a way to configure which type of encrypted channel to use with managesieve. Even when there is no standard port for "sieves", users should be able to configure on it on any custom port.
Can confirm this. It's a blocker. Matter of fact, while trying to establish a TLS connection using the usual `openssl s_client -showcerts -connect example.com:4190` works beautifully, ksieve doesn't even try to negotiate a TLS connect. It's just TCP's SYN; SYN, ACK; ACK; at this point the TCP connection is established, and it would be the client's job to initiate a TLS session – never happens, there's 0 bytes exchanged, until at some point either I close the program or the server drops the idle conneciton. Functionality of the same server has been verified through an unenencrypted direct connection. Attaching Wireshark capture.
Created attachment 150778 [details] Wireshark capture of the very data-less conversation with a TLS server over IPv6/TCP
Tested version of libksieve was 21.12.2, by the way, can't map that to the versions offered as choice above. Having a hard time building git master from source.
Also reproducible under 5.20.3 (22.04.3)