In order to determine if TLS can be restricted to TLSv1.2 or above I need to check the usage in the logs. Unfortuately dovecot (2.3.x) doesn't log this information by default.
We need to append %k to login_log_format_elements (and include the variable for session)
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}> (%k)
example syslog output:
Nov 15 14:34:15 example dovecot[1059712]: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=2001:db8:ef8f:f2b4:b928::c8a6:d81a, lip=2001:db8:8dfb:bf78::9ca8:a66c:fbae, mpid=1060014, TLS, session=<yD4LtNTQAOAgAQiw/gbSFR0knRY/WiMu>, (TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))