Ok, so currently you can connect securely, but you can still connect insecurely - hence the recommendation to prevent at the firewall.
Say you want 389 open but not insecure communication:
See what security level TLS connections make (usually it's 256 - depends on your key strength though) then add add security tls=256 to /opt/zimbra/conf/sldapd.conf.in
security ssf=256 would be better to require all communications be 256 enc
security ssf=256 simple_bind=256
Open:
Bug 20739 - make force-TLS for LDAP configurable (hook up the ldap_require_tls attribute)
It was going to be 5.0.6, not finished so 5.0.7 that would contain the internal communication lock down:
Bug 16601 - Secure Access To LDAP (ldap_starttls_supported and zimbra_require_interprocess_security)
Still open:
Bug 15378 - Obviate the need for and disallow LDAP anonymous binds