TLS termination at ingress edge for HTTPS only?

I did some searching but I must have missed something. I’ve got my HTTPS TLS termination working using the istio-ingressgateway along with my Gateway, VirtualService objects for https traffic.
What about non-http application layer protocols? SMTP, IMAP, SNMP, binary protocols - these can be transported over TLS secured sockets as we all know. But the Pilot controller complains if I use Gateway…port.protocol: TCP with tcp-imap AND tls.mode: SIMPLE (with same tls properties as my working https ports. Once I got rid of the tls: block for these non-http protocols, no complaints but that also means no TLS termination.
Is Istio TLS termination not meant for non-http protocols? The text “TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection.” in the section makes me suspect so ( or that only the Mongo protocol over TLS can be terminated ? I know nothing about the Mongo protocol perhaps it’s http-like? and that’s why it’s in the Gateway…port.protocol description text?)
Would be nice to have the ingress controller handle all such configured traffic. I’m hoping I missed some documentation that spells it out either way.

Error: admission webhook "[](" denied the request: configuration is invalid: 2 errors occurred:
* server cannot have TLS settings for non HTTPS/TLS ports
* server cannot have TLS settings for non HTTPS/TLS ports

Istio version 1.4.3

The above rejection was when I had this Gateway port definition (post-Helm template processing):

  - port:  
      number: 143
      name: tcp-imap
      protocol: TCP 
    - "*"    # {{ .Values.external.fqdn }} after testing
      mode: SIMPLE  
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

And yes, ideally, the TLS/SSL termination occurs at the Gateway so the internal imap services doesn’t have to be configured for TLS. But that’s option #2