Every time I have to mess with cyrus-imap mailboxes I spend a half hour trying to figure out how to get cyradm to run. While I have by no means figured it all out, I do have one piece of lore worthy of being written down.
My imap server forbids plaintext logins unless they are within a TLS session, so /etc/imapd.conf has the setting allowplaintext: 0
But, cyradm uses imap authentication (witness all the failed attempts to get cyradm to authenticate putting entries in the /var/log/secure log using pam_unix imap:auth). The problem of course is that cyradm doesn’t have a tls session, so allowplaintext rejecting the plaintext password.
Reset /etc/imapd.conf to allowplaintext:1 temporarily, systemctl restart cyrus-imapd, and then, as root, cyradm tarragon. Make all the mailboxes you want. Then reverse and turn plaintext back off.