[CentOS] Dovecot on C7.2 - secure internet access

Thu May 5 10:03:34 UTC 2016
Gary Stainburn <gary at ringways.co.uk>

I have a mail server running on Centos 7.2 which has been working for my LAN 
for a long time.

I'm at the point where I have to make it accessible to the internet.  At the 
moment, access can be insecure but as it's on my LAN it isn't an issue.

However, for internet access I wish to force SSL/TLS.  Having read the 
documents I think it's as simple as changing 10-ssl.conf from

ssl = yes

to

ssl = required
remote 10.0.0.0/8 {
  ssl = yes
}

Am I right in thinking that this would make the global value now force SSL/TLS 
to be required, but for my LAN (10.0.0.0/8) override this with the old value 
of 'yes'

Is there a better way to do this?
Have I missed anything?
I believe that this means implies 

disable_plaintext_auth = no

for all except my LAN. Is that right?