diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 56cc1ab..4e77baf 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -124,6 +124,7 @@ in
               ${if cfg.enableImap then ''
                 port = 143
               '' else ''
+                # see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
                 port = 0
               ''}
             }
@@ -132,6 +133,7 @@ in
                 port = 993
                 ssl = yes
               '' else ''
+                # see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
                 port = 0
               ''}
             }
@@ -143,6 +145,7 @@ in
               ${if cfg.enablePop3 then ''
                 port = 110
               '' else ''
+                # see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
                 port = 0
               ''}
             }
@@ -151,6 +154,7 @@ in
                 port = 995
                 ssl = yes
               '' else ''
+                # see https://dovecot.org/pipermail/dovecot/2010-March/047479.html
                 port = 0
               ''}
             }
diff --git a/tests/intern.nix b/tests/intern.nix
index b4f42db..0799fc0 100644
--- a/tests/intern.nix
+++ b/tests/intern.nix
@@ -62,6 +62,8 @@ pkgs.nixosTest {
 
         vmailGroupName = "vmail";
         vmailUID = 5000;
+
+        enableImap = false;
       };
     };
   };
@@ -86,5 +88,12 @@ pkgs.nixosTest {
         machine.succeed(
             "${pkgs.curl}/bin/curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
         )
+
+    with subtest("imap port 143 is closed and imaps is serving SSL"):
+        machine.wait_for_closed_port(143)
+        machine.wait_for_open_port(993)
+        machine.succeed(
+            "echo | ${pkgs.openssl}/bin/openssl s_client -connect localhost:993 | grep 'New, TLS'"
+        )
   '';
 }