If this is the first time setting up an SSL cert for an email server it is a learning curve and yes, I do agree there does not seem to be one full document that gives full step by step instructions. Not that I have found anyway.
Re the purchasing of a cert, you can use a self-issued one but then email clients may not trust it...that's in essence why there are known good Certificate Authorities. You might as well purchase a £($)10 certificate and it's then sorted. However, if your clients currently use their own domains to connect to the email server, i.e. mail.clientdomain.com, then you will either have to setup SSL certs for each and every domain OR do what is normal practice and make sure all clients use your domain with the certificate. They can then use mail.yourdomain.com for the mail and then also you can link it to the webmail.yourdomain.com and use https if you decided to use a Wildcard cert.
We made the transition last year and even though we were apprehensive it actually was welcomed by the clients as we sold it, rightly so, as a security upgrade. From an email admin point of view it is FAR easier to administer too!
You can't force SSL/TLS on some domains and not others as far as I am aware. You can implement SSL/TLS and still allow unsecured connections to take place...however even though that is better than nothing it's still leaving a security hole on each connection to the server so better to block 110/143.
The SSL check boxes within Security > Protocol Settings are when or if you configure autodiscover for when email clients are being configured. It's great to use, however it's lower down on your to do list ;-)
Re the ports, this will hopefully clarify: