We currently use a commercial outbound gateway to ensure TLS encryption of all outbound sessions.   If a recipient cannot connect using TLS, the message will eventually bounce.  Then we manually configure delivery for that domain to always use our secure web relay solution.   

 As I have indicated elsewhere, I am planning the retirement of the commercial solution.   So I am looking for an alternate MTA that will enforce outbound TLS.   Automatic failover to an encryption solution would be desirable, but we don't have it now so it is not strictly necessary.    

Any suggestions?

(Inbound encryption is not mandatory, as we consider transport security the responsibility of the sender, not the recipient.   I am assuming that inbound gateway is a separate device from the outbound gateway.)