I'm not sure why you need a proxy on this. The proxy is meant for large
installations in order to load balance users across multiple servers
while keeping the appearance of a single host server. Open port 993
directly to the server and you should be good to go. Security-wise it's
pretty much the same to. Adding the proxy is going to add a layer of
complexity bound to add up to headaches in the future.
If I port forward and the machine is compromised, my company email and
the internal network are gone.
By proxying, I have at least slowed this process down and I already have
the DMZ machine forwarding SMTP and running a webmail frontend.
this doesn't make sense to me - if you just port forward port 993 (imaps) to
inside server (with something like, what's it called - netcat?) - how would
compromising DMZ machine lead to exposed internal network? End-point still
need to negotiate SSL. You can't just sniff traffic - it's encrypted.
Intruder will have to do full "man-in-the-middle" bit, complete with SSL
intercepting. Just to sniff passwords. And isn't that much easier to do if
SSL-capable IMAP server already installed in DMZ server?