Postfix and Dovecot opened ports

  1. You could choose which protocol should be enable in the dovecot configuration. The SMTP is completely different from the IMAP/POP server, so there is no interaction between them. Use what you want. You can disable unsecured protocol if you don't use them (it is recommanded)
  2. Submission is an other protocol doing the same thing as SMTPS, but on port 587. Some networks allow SMTPS, some others submission. You can configure your weight clients to use one or other.
  3. If you just want Roundcube, you need to keep imap(s) activated ! But you can firewall the ports only to localhost

Quite the old question, but my response might be useful for some anyway..

On Debian GNU/Linux 7.6 (wheezy), find version with lsb_release -a, and Dovecot running 2.1.7, find version with dovecot --version, to disable ports, you must edit the file /etc/dovecot/conf.d/10-master.conf.

For example, if you only want to have pop3s (port 995), you should insert port=0 in all the relevant inet_listener sections.

Example code to allow only pop3s:

#/etc/dovecot/conf.d/10-master.conf    

service imap-login {
      inet_listener imap {
        #address = none
        #port = 143
        port=0
      }
      inet_listener imaps {
        #address = none
        #port = 993
        #ssl = yes
        port=0
      }


    service pop3-login {
      inet_listener pop3 {
        #address = none
        #port = 110
        port=0
      }
      inet_listener pop3s {
        #port = 995
        #ssl = yes
      }
    }

Now, restart dovecot with sudo service dovecot restart. You could run a port scan, with nmap against the network interfaces to verify that dovecot is no longer listening on the ports you wanted to disable.

Run nmap scan localhost to scan local host, and nmap scan nnn.nnn.nnn.nnn or nmap scan mail.mydomain.com to scan the public facing network interfaces.

If you did everything as in this example, the ports 110 (pop3), 143 (imap),993 (imaps), should no longer be listed as open.