The idea is to force users to
configure their email clients with
encrypted outgoing smtp server. With
the current conf, Thunderbird leave
them the option to communicate with
the smtp server in plain text...
You cannot disable option in Thunderbird without recompiling source code, but you can configure postfix stmpd daemon (which receives mail from your clients) to enforce encryption. To do that, use smtpd_tls_security_level=encrypt,
which is equivalent of obsolete options smtpd_use_tls=yes and smtp_enforce_tls=yes. smtpd_tls_security_level=encrypt and smtp_enforce_tls=yes implies smtpd_tls_auth_only=yes
From postfix documentation about smtpd_tls_security_level=encrypt
Mandatory TLS encryption: announce
STARTTLS support to SMTP clients, and
require that clients use TLS
encryption. According to RFC 2487 this
MUST NOT be applied in case of a
publicly-referenced SMTP server.
Instead, this option should be used
only on dedicated servers.
If you use public server, you cannot enforce email encryption on port 25/tcp. Better solution is disable mail delivery on by postfix smtpd daemon port 25/tcp from your clients and enable postfix submission daemon (which is special postfix smtpd daemon used only for receiving mail from your local clients described in RFC 4409 running on port 587/tcp). To do that, set smtpd_tls_security_level=may and remove permit_sasl_authenticated
from smtpd_recipient_restrictions. In master.cf
uncomment line about submission daemon:
submission inet n - n - - submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_resrictions=permit_sasl_authenticated,reject