diff --git a/default.nix b/default.nix
index cc21e26..2e2be2e 100644
--- a/default.nix
+++ b/default.nix
@@ -851,9 +851,11 @@ in
 
     enableImap = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
       description = ''
         Whether to enable IMAP with STARTTLS on port 143.
+
+        The use of this port is deprecated per RFC 8314 4.1.
       '';
     };
 
@@ -894,6 +896,8 @@ in
       default = false;
       description = ''
         Whether to enable POP3 with STARTTLS on port on port 110.
+
+        The use of this port is deprecated per RFC 8314 4.1.
       '';
     };
 
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 7a48dd4..cc6fc6b 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -13,8 +13,14 @@ NixOS 25.11
   1024 bit keys should not be considered valid any longer.
 - DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
   system domain.
+- IMAP access over port ``143/tcp`` is now default disabled in line with
+  `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp`` instead.
+  If you still require this feature you can reenable it using
+  ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
+  release.
 
 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
+.. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
 
 NixOS 25.05
 -----------