All fine now thx, I'm just testing everything at the moment so self-signed should be enough for now, how I can confirm/check that the connection is really secure now?
Get managed switch and run packet sniffer on mirrored port, or run packet sniffer on webserver or run packet sniffer on router, if you can. See all gobbledygook that sniffer can capture on SSL enabled ports and compare it with traffic on standard SMTP/POP3/IMAP/HTTP ports.
If users use HTTPS, POPS, IMAPS and SMTP-over-SSL, their passwords will be protected. If you enable Auto-Ban in hMailServer, bruteforce attacks should be slowed down. Bruteforce attacks might still work on webmail and your webmail will need some extension to handle bruteforce attacks against users' passwords.
Do you think that roundcube is best otion as a web client and is there any way that users could change the password themself or maybe even creat accounts?
I can't give recommendations on webmail clients. It depends on what you expect from webmail and which scripting languages are available on webserver. hMailServer has plugins to change passwords in SquirrelMail. IMP and Roundcube can allow end users to change their passwords, if you can create appropriate plugins or extensions.
If you want to allow account creation, see scripts posted on forum's Scripts section.