I've been running my own mail server (debian/postfix/dovecot) for
~5 years, far less than some people here, but enough to have a few
comments for you.
I have dovecot (and most other daemons) listening only on the loopback
interface, so I have no suggestions about securing external access.
I was able to get most of my incoming and outgoing mail encrypted,
with almost no effort, without even installing a real certificate.
See https://lists.ufl.edu/cgi-bin/wa?A2=ind13&L=LINUX-L&P=R6579 .
My encryption is vulnerable to an active MITM, but, at the time,
that was true even with a real certificate. That may have changed
by now; there was something called DANE on the horizon that was
expected to be able to fix that problem.
If you try to protect your mail from MITM (and, especially, if you
succeed!) please post here telling us how you did it.
I've been happy with postfix except for one annoying vulnerability,
which had already been known for many years when I noticed it, and
which no one seemed to want to fix, so I fixed it myself, and shared
the patch in the Debian BTS: https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.debian.org_741888&d=DwIBAg&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=iUSCqQal-H20QF9or__3g2H9ORMheuOrwYuG_vCdc2g&m=1OPkyZ6fMeQ1f_HB5AQD87PpMoPtt2Ky0qDLQ_vvkG8&s=gyOBNgx4_oahpXkH8sw-eKQWsfqnPNLRWQ54gzheU_8&e= .
-- Robert Munyer