I think that this might be a little confusion here.
My first question is: what protocols do you *need* to provide to your users?
By your statement, if you only need to provide OWA (or MAPI sessions for outlook) to your users, you don’t need do configure IMAP4 or POP3 within Exchange so, they could be blocked at the edge without interfering with OWA or MAPI. The lower the attack surface, the better.
Please provide some more details so we can help you better.