Email server port options

What is the most secure way to serve mail?

We could get into a whole PGP / SMIME discussion, but yeah, SSL/TLS are fine for client communication.

Can I close ports 110 and 143, and just tell everyone to set their clients to receive on 993 and 995?

Yes. I'd go one better and just do IMAP/S - POP is bad.

Is the mail served out of 993/995 fully encrypted, ie: not able to be eavesdropped?

Well, you could potentially configure them to be non-encrypted on those ports.. but yes, those listeners should be enforcing SSL/TLS encryption for all client communication.

Note that those 4 are all for communication with email clients - port 25, SMTP, has optional encryption that's not widely implemented; your client communication may be hidden, but your relay communication is unlikely to be.

993 and 995 are the ports for IMAP-over-SSL and POP3-over-SSL, respectively.

It is actually possibly to use 110 and 143 using TLS, and therefore encrypted. This is easily enabled in Dovecot. In fact, when Dovecot talks about "SSL" it actually means both SSL and TLS, so if you have ssl = yes in your Dovecot config, TLS should already be enabled.

If you want to disable plaintext authentication, set ssl=required and disable_plaintext_auth=yes.

Right. Configure dovecot to ignore pop3 and imap in favor of pop3s and imaps and you'll prevent folks from grabbing passwords (and e-mail content) by sniffing those ports. You should be migrating folks away from pop in any case, as it usually has very silly implementations.

You should also configure exim to not allow authentication on port 25 connections (and to listen to 465 for SSL-encrypted SMTP) and to demand authentication before it allows a relayed message.