This will probably be short, but should still be addressed. When you are configuring systems, don’t make the implementation convoluted. It won’t fair well for you in the future when you have to troubleshoot.
When I had to reconfigure my servers due to data loss, I wanted the channels to be secure. Well, making a long story short, I made it so ports 143/tcp and 25/tcp required SSL/TLS. That’s fine, normally. Small mis-hap in configuration but easy to handle. Not when you have to spend 4 hours trying to get software like SquirrelMail to be able to connect to tls://mailserver.domain.tld:25. Granted, the configuration for SM 1.4.x is annoying anyways, but none of it even made sense.