They are insecure port, yet they are still needed.
Why is that?
Shouldn’t those ports be phased out?
I am not sure to answer totally correctly, so don’t hesitate to give an other point of view/explanation:
Port 25 is necessary to send email to other unsecured smtp (if we close this port, some mails couldn’t be delivered.
Port 80 is needed by let’s encrypt for the ACME challenge, by some YunoHost setup without internet connexion ( in Africa or Asia) which users need to be able to access page without warning, by some website which users are under the “TLS intermediate config” (not so old android device, XP…).
In general application packagers make choice or not to redirect port 80 to HTTPS. Sometime just one part of the app (web administration) force https.
A new settings system has been introduce to be able to let more option to the yunohost administrator, but for now, there are no settings developped to let the admin to be able to configure it.