Does our IMAP access have to be behind our VPN?

It depends how much you want to open yourself up to potential vulnerabilities.

Using the VPN gives you an extra layer of protection, however it requires additional work to configure devices. Personally I'm happy to allow IMAPS from the internet, provided there's a good password policy in place.

Keeping the VPN is an option, and if you require the very highest level of security, then keep it. Otherwise I don't see why you shouldn't open it up.

At least you're erring on the side of caution - always a good trait!

As long as your IMAP server is patched, you are only (ahem) vulnerable to zero-day attacks. So if the traffic is encrypted then you should be OK.

BUT...

I can see that forcing users to connect to the VPN first takes away the attack vector opened up by allowing anyone on the Internet to connect to your IMAP server. So, I doubt anyone would get fired for insisting on this. It's a good belt-and-braces approach.

It's the old security vs. convenience thing...if all this is for is because you feel that the VPN is unnecessary overhead on your iPhone's 3G connection, it might not fly. Get an influential member of your Business Development team to complain however, and you might be in business! :)

I think you'd be reasonably safe in using opening up IMAP access to the outside without VPN access as long as...

1) You requre/enforce SSL connections to encrypt IMAP traffic going back and forth.

2) You have some reasonable way to prevent DOS and brute force attacks.

and

3) You have some end-to-end email security solution to protect confidential info.