thanks for the replies.
first i checked dsa.msc and my imap_agent acct did exist in the Exchange
Trusted Subsystem group.
then i check ADsiedit.msc,
and imap_agent was not listed as a member item of the group.
so i closed both consoles and went back to dsa.msc and deleted imap_agent from the group, closed the console, reopened the dsa.msc console and added imap_agent back to the Exchange
Trusted Subsystem group.
Then I opened adsiedit.msc, and now imap_agent exists as a member of the the Exchange
Trusted Subsystem group.
i retested my imap connection,
but it still doesn't work using the imap_agent account. I reset the imap_agent pswd just in case and it still doesn't work. I deleted the imap_agent account and recreated it. no change.
One interested note. if i try . login domain/user2/user1 {user2 pswd} where user2 was added directly to the mailbox via the EAC, the imap connection works. user2 is a mailbox user.
so the imap protocol is working, what is not working is the authentication of my imap_agent account.
there is a similar thread but identifies the CAS as the issue in the end:
https://social.technet.microsoft.com/Forums/en-US/c7e00535-75ec-49ff-9fab-4d675eec7f26/0x800ccc0e-imap-connectivity-problem?forum=exchangesvrclients