Firewall – Are there any reasons why we should not block unencrypted service ports for mail such as 25,110 & 143

Actually the ports you mentionned, 465, 995 and 993 are deprecated and should no more be used.

See RFC2995 section 7

7. imaps and pop3s ports

Separate "imaps" and "pop3s" ports were registered for use with SSL. Use of these ports is discouraged in favor of the STARTTLS or STLS commands.

A number of problems have been observed with separate ports for "secure" variants of protocols. This is an attempt to enumerate some of those problems.

• Separate ports lead to a separate URL scheme which intrudes into the user interface in inappropriate ways. For example, many web pages use language like "click here if your browser supports SSL." This is a decision the browser is often more capable of making than the user.

• Separate ports imply a model of either "secure" or "not secure." This can be misleading in a number of ways. First, the "secure" port may not in fact be acceptably secure as an export-crippled cipher suite might be in use. This can mislead users into a false sense of security. Second, the normal port might in fact be secured by using a SASL mechanism which includes a security layer. Thus the separate port distinction makes the complex topic of security policy even more confusing. One common result of this confusion is that firewall administrators are often misled into permitting the "secure" port and blocking the standard port. This could be a poor choice given the common use of SSL with a 40-bit key encryption layer and plain-text password authentication is less secure than strong SASL mechanisms such as GSSAPI with Kerberos 5.

• Use of separate ports for SSL has caused clients to implement only two security policies: use SSL or don't use SSL. The desirable security policy "use TLS when available" would be cumbersome with the separate port model, but is simple with STARTTLS.

• Port numbers are a limited resource. While they are not yet in short supply, it is unwise to set a precedent that could double (or worse) the speed of their consumption.

Regarding port 465 for SMTPS it was even re-assigned by IANA to a different usage:

urd 465 tcp URL Rendesvous Directory for SSM

Source : http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=9

Specifically for SMTP , a mail server should (in most case) accept uncrypted communication, since it will likely received email from server that will not propose TLS.

However it is also advise to use port 25 for server to server mail transfer and use port 587 for mail submissions from clients.

See RFC2476

Extract:

3. Message Submission

3.1. Submission Identification

Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here.

While most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs.

Regarding POP3, IMAP, and mail submission on port 587, you can enforce encryption on the standard ports 110, 143, 587 by configuring you server to refuse connection not encrypted with TLS. (and it is strongly advised to do so).