cyrus-imapd e SSL

Eu tenho um servidor IMAP rodando no Fedora ( cyrus-imapd-2.4.18-1.fc23.i686 ) com a seguinte configuração:

$ cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

userdeny_db: flat

tls_cert_file: /etc/pki/tls/certs/corti.li.crt
tls_key_file: /etc/pki/tls/private/corti.li.key
# Chain
tls_ca_file: /etc/pki/tls/certs/COMODORSA.crt

#tls_cipher_list: HIGH
#tls_cipher_list: TLSv1:SSLv3:!SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH:!ADH
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

e tudo funciona perfeitamente. Agora estou migrando para o CentOS 7 ( cyrus-imapd-2.4.17-8.el7_1.x86_64 ), mas com a mesma configuração, o servidor ainda aceita conexões com SSLv2 e cifras de baixo nível.

$ ./testssl.sh --color 0 new.corti.li:993 
[...]
 further IP addresses:   2a01:4f8:c17:3bac::2
 rDNS (138.201.94.195):  static.195.94.201.138.clients.your-server.de.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

Não vejo nenhum erro nos registros. Qualquer ideia por que

    tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

é ignorado?

Editar

As mesmas configurações na máquina do Fedora produzem (sem SSLv3):

$ ./testssl.sh --color 0 corti.li:993 
[...]
 further IP addresses:   2a01:4f8:d13:f44::2
 rDNS (78.47.122.114):   corti.li.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)