Enforcing STARTTLS on submission port 587
The following settings will enable opportunistic TLS for inbound connections on default smtp port(25).
smtpd_tls_security_level = may
You can enforce STARTTLS on submission port e.g 587 by editing /etc/postfix/master.cf
submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt
This will enforce STARTTLS on port 587.
- You would also need to first generate self signed or intermediate certificate to enable inbound TLS in Postfix.