I'm running the newest version of 13.x and TLS enabled still allows the STARTTLS to be ignored by the incoming connection.
I did find a workaround via a third party hardware vendor that allows a firewall to send the STARTTLS commands and not allow a connection to your SmarterMail unless it is TLS.
You will still have all your standard ports open for this.
Google + is +MurrayW if you need the link and equipment list just in case it's edited out.
I'm using the Watchguard XTM 330 Firewall fireware 11.9. The configuration is at
Combine the SmarterMail server with fireware 11.9 and TLS becomes a Full Time connection.