I'm not sure why you need a proxy on this. The proxy is meant for large
installations in order to load balance users across multiple servers
while keeping the appearance of a single host server. Open port 993
directly to the server and you should be good to go. Security-wise it's
pretty much the same to. Adding the proxy is going to add a layer of
complexity bound to add up to headaches in the future.
If I port forward and the machine is compromised, my company email and
the internal network are gone.
By proxying, I have at least slowed this process down and I already have
the DMZ machine forwarding SMTP and running a webmail frontend.