thanks for your reply, but I am not sure if this is a good solution, I'm afraid. I do think so because of the following line from the dovecot wiki:
Clients using STARTTLS work by connecting to the regular unencrypted port and immediately issue a STARTTLS command, after which the session is encrypted. After SSL handshake there is no difference between SSL port initiated connections and STARTTLS initiated connections.
(for the complete paragraph about SSL/TLS see http://wiki2.dovecot.org/SSL
In other words: if I blocked the ports with the firewall, the STARTTLS concept would be useless.
At least this is how I understand it. Or am I wrong?