Neal, for SSL (implicit) the server has no way to decide whether the communication should be secured or not that's why it uses a different port.
TLS is another story. When a client connects to such port, it first connects using non secure tranmission. The server then announce the STARTTLS capability and if the client supports TLS, client and server starts negotiating a TLS handshake and then the channel is secured. That's why it can use the standard port.
Best practices would be to have:
- SMTP port 25 accepting clear and STARTTLS for inter-server communication and only allow user authentication if the session has been secured by STARTLS.
- Submission port 587 should only allow auth with STARTTLS.
- IMAP port 143 only allow login with STARTTLS
- IMAP port 993 imap implicit SSL
- POP3 port 110 only allow login with APOP secure login
- POP3 port 995 pop3 implicit SSL
This setup makes sure no client would ever transmit authentication infos in clear text.