Forcing encryption for outgoing SMTP with Postfix
smtp_tls_security_level = encrypt or smtp_enforce_tls=yes
For specific destinations you could use smtp_tls_policy_maps
smtp_use_tls = yes and smtp_enforce_tls=yes are deprecated. With Postfix 2.3 and later use smtp_tls_security_level instead.
Remember: Enforcing TLS encryption could cause mail delivery problems for SMTP host, that doesn't have TLS configured. If server is used to deliver mails to only your internal server with configured TLS, it's not a problem in that case. But if server is used to deliver mail to public servers, you cannot assume, that all servers has TLS support. In that case use smtp_tls_security_level = may
The idea is to force users to configure their email clients with encrypted outgoing smtp server. With the current conf, Thunderbird leave them the option to communicate with the smtp server in plain text...
You cannot disable option in Thunderbird without recompiling source code, but you can configure postfix stmpd daemon (which receives mail from your clients) to enforce encryption. To do that, use smtpd_tls_security_level=encrypt, which is equivalent of obsolete options smtpd_use_tls=yes and smtp_enforce_tls=yes. smtpd_tls_security_level=encrypt and smtp_enforce_tls=yes implies smtpd_tls_auth_only=yes
From postfix documentation about smtpd_tls_security_level=encrypt
Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
If you use public server, you cannot enforce email encryption on port 25/tcp. Better solution is disable mail delivery on by postfix smtpd daemon port 25/tcp from your clients and enable postfix submission daemon (which is special postfix smtpd daemon used only for receiving mail from your local clients described in RFC 4409 running on port 587/tcp). To do that, set smtpd_tls_security_level=may and remove permit_sasl_authenticated
from smtpd_recipient_restrictions. In master.cf
uncomment line about submission daemon:
submission inet n - n - - submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_resrictions=permit_sasl_authenticated,reject
Just curious, how are you telling that it isn't using TLS? The default value for smtp_tls_loglevel (which is different from smtpd_tls_loglevel) is 0, so by default you won't see anything about TLS negotiation for outbound mail in Postfix's logs.
If you set smtp_tls_loglevel = 1 or higher, you should see a line like this in the log when a message is sent:
Mar 7 22:28:10 rack postfix/smtp[27400]: initializing the client-side TLS engine
I admit I'm being lazy, but aside from that (and ms' notes above) the config looks fine to me at a glance.