Every system has different requirements. From supporting older clients to enforcing new PCI rules, there is no single answer.
With DirectAdmin setups,we like to lean towards functionality first, and admin's can tighten things up if they need to (knowing it will alienate some clients).
With dovecot, the SSL settings are stored in:
but this file shouldn't be edited directly.
To make a custom change to this file, use the CustomBuild custom directory, like this:
mkdir -p custom/dovecot/conf
cp configure/dovecot/conf/ssl.conf custom/dovecot/conf/ssl.conf