lib/PublicInbox/NetReader.pm | 20 +++++++++++---------
 t/imapd-tls.t                | 11 +++++++++--
 t/nntpd-tls.t                |  8 ++++++++

diff --git a/lib/PublicInbox/NetReader.pm b/lib/PublicInbox/NetReader.pm
index 236e824cd26d48ec2326b97455b139d0b5841a65..e305523e300b16c2b32b59442ecadf44be683c02 100644
--- a/lib/PublicInbox/NetReader.pm
+++ b/lib/PublicInbox/NetReader.pm
@@ -91,6 +91,16 @@ ...before retrying your current command
 EOM
 }
 
+# Net::NNTP doesn't support CAPABILITIES, yet; and both IMAP+NNTP
+# servers may have multiple listen sockets.
+sub try_starttls ($) {
+	my ($host) = @_;
+	return if $host =~ /\.onion\z/si;
+	return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s;
+	return if $host eq '::1';
+	1;
+}
+
 # mic_for may prompt the user and store auth info, prepares mic_get
 sub mic_for ($$$$) { # mic = Mail::IMAPClient
 	my ($self, $uri, $mic_common, $lei) = @_;
@@ -122,6 +132,7 @@ 	# default to using STARTTLS if it's available, but allow
 	# it to be disabled since I usually connect to localhost
 	if (!$mic_arg->{Ssl} && !defined($mic_arg->{Starttls}) &&
 			$mic->has_capability('STARTTLS') &&
+			try_starttls($host) &&
 			$mic->can('starttls')) {
 		$mic->starttls or die "E: <$uri> STARTTLS: $@\n";
 	}
@@ -162,15 +173,6 @@ 	if ($err) {
 		$lei ? $lei->fail($err) : warn($err);
 	}
 	$mic;
-}
-
-# Net::NNTP doesn't support CAPABILITIES, yet
-sub try_starttls ($) {
-	my ($host) = @_;
-	return if $host =~ /\.onion\z/s;
-	return if $host =~ /\A127\.[0-9]+\.[0-9]+\.[0-9]+\z/s;
-	return if $host eq '::1';
-	1;
 }
 
 sub nn_new ($$$) {
diff --git a/t/imapd-tls.t b/t/imapd-tls.t
index 72ba8769610a90db756fb20d6773e090e010abb6..73f5112fcb7275e672be10a944f4c143e9a2be16 100644
--- a/t/imapd-tls.t
+++ b/t/imapd-tls.t
@@ -1,8 +1,8 @@
+#!perl -w
 # Copyright (C) 2020-2021 all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 use strict;
-use warnings;
-use Test::More;
+use v5.10.1;
 use Socket qw(IPPROTO_TCP SOL_SOCKET);
 use PublicInbox::TestCommon;
 # IO::Poll is part of the standard library, but distros may split it off...
@@ -154,6 +154,13 @@ 	like($greet, qr/\A\* OK \[CAPABILITY IMAP4rev1 /, 'got greeting');
 	is(syswrite($slow, "1 LOGOUT\r\n"), 10, 'slow wrote LOGOUT');
 	ok(sysread($slow, my $end, 4096) > 0, 'got end');
 	is(sysread($slow, my $eof, 4096), 0, 'got EOF');
+
+	test_lei(sub {
+		lei_ok qw(ls-mail-source), "imap://$starttls_addr",
+			\'STARTTLS not used by default';
+		ok(!lei(qw(ls-mail-source -c imap.starttls=true),
+			"imap://$starttls_addr"), 'STARTTLS verify fails');
+	});
 
 	SKIP: {
 		skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 2c09d34e5b452fadebd31c987ed4082903e79caa..9af6c25443a07d768adceadf186e6e3568a9bf61 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -146,6 +146,14 @@ 	ok(sysread($slow, my $end, 4096) > 0, 'got EOF');
 	is(sysread($slow, my $eof, 4096), 0, 'got EOF');
 	$slow = undef;
 
+	test_lei(sub {
+		lei_ok qw(ls-mail-source), "nntp://$starttls_addr",
+			\'STARTTLS not used by default';
+		ok(!lei(qw(ls-mail-source -c nntp.starttls=true),
+			"nntp://$starttls_addr"), 'STARTTLS verify fails');
+		diag $lei_err;
+	});
+
 	SKIP: {
 		skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
 		my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;