diff -pur ../cyrus-imapd-2.4.17-orig/doc/man/imapd.conf.5.html ./doc/man/imapd.conf.5.html
--- ../cyrus-imapd-2.4.17-orig/doc/man/imapd.conf.5.html	2014-10-16 03:00:03.779726969 +0200
+++ ./doc/man/imapd.conf.5.html	2014-10-16 03:02:16.827722396 +0200
@@ -2156,6 +2156,12 @@ prime256v1</p>
 <p style="margin-left:18%;">This configures which elliptical
 curve parameter to use for TLS.</p>
 
+<p style="margin-left:11%;"><b>tls_tlsonly:</b>
+false</p>
+
+<p style="margin-left:18%;">This disables support for SSLv2
+and SSLv3</p>
+
 <p style="margin-left:11%;"><b>umask:</b> 077</p>
 
 <p style="margin-left:18%;">The umask value used by various
diff -pur ../cyrus-imapd-2.4.17-orig/imap/imapd.c ./imap/imapd.c
--- ../cyrus-imapd-2.4.17-orig/imap/imapd.c	2014-10-16 03:00:03.757727131 +0200
+++ ./imap/imapd.c	2014-10-16 03:10:07.268685935 +0200
@@ -6853,7 +6853,7 @@ void cmd_starttls(char *tag, int imaps)
     result=tls_init_serverengine("imap",
 				 5,        /* depth to verify */
 				 !imaps,   /* can client auth? */
-				 !imaps);  /* TLS only? */
+				 (!imaps) || config_getswitch(IMAPOPT_TLS_TLSONLY));  /* TLS only? */
 
     if (result == -1) {
 
diff -pur ../cyrus-imapd-2.4.17-orig/imap/nntpd.c ./imap/nntpd.c
--- ../cyrus-imapd-2.4.17-orig/imap/nntpd.c	2014-10-16 03:00:03.760727001 +0200
+++ ./imap/nntpd.c	2014-10-16 03:08:24.391702017 +0200
@@ -4147,7 +4147,7 @@ static void cmd_starttls(int nntps)
     result=tls_init_serverengine("nntp",
 				 5,        /* depth to verify */
 				 !nntps,   /* can client auth? */
-				 !nntps);  /* TLS only? */
+				 (!nntps) || config_getswitch(IMAPOPT_TLS_TLSONLY));  /* TLS only? */
 
     if (result == -1) {
 
diff -pur ../cyrus-imapd-2.4.17-orig/imap/pop3d.c ./imap/pop3d.c
--- ../cyrus-imapd-2.4.17-orig/imap/pop3d.c	2014-10-16 03:00:03.762726976 +0200
+++ ./imap/pop3d.c	2014-10-16 03:09:03.211728251 +0200
@@ -1225,7 +1225,7 @@ static void cmd_starttls(int pop3s)
     result=tls_init_serverengine("pop3",
 				 5,        /* depth to verify */
 				 !pop3s,   /* can client auth? */
-				 !pop3s);  /* TLS only? */
+				 (!pop3s) || config_getswitch(IMAPOPT_TLS_TLSONLY));  /* TLS only? */
 
     if (result == -1) {
 
diff -pur ../cyrus-imapd-2.4.17-orig/lib/imapoptions ./lib/imapoptions
--- ../cyrus-imapd-2.4.17-orig/lib/imapoptions	2014-10-16 03:00:03.754726975 +0200
+++ ./lib/imapoptions	2014-10-16 03:03:36.517717791 +0200
@@ -1412,6 +1412,9 @@ product version in the capabilities */
 /* The default elliptical curve parameter.
    For list of curves see: openssl ecparam -list_curves */
 
+{ "tls_tlsonly", 0, SWITCH }
+/* Disables use of SSLv2 and SSLv3 */
+
 { "umask", "077", STRING }
 /* The umask value used by various Cyrus IMAP programs. */