Postfix STARTTLS only on port 25

SMTPS means SMTP over TLS, like with HTTPS. So first a TLS connection is established (without fallback), and then SMTP is started. Just as nobody expects HTTPS on the HTTP-Port 80, you should not expect that anybody who connects to your SMTP-service sends TLS requests. Thus, all connections to your server on port 25 will likely fail, if you enforce TLS!

STARTTLS makes encryption optional. First, a normal, unencrypted SMTP-connection is established and then the Server announces it can upgrade to STARTTLS (using a so called SMTP extension). If the server also supports STARTTLS (and it is enabled for usage), the the client requests the upgrade to TLS.

SMTPS (SMTP over TLS) is enabled in Postfix via smtpd_tls_wrappermode=yes, you set that for the smtp service, thus on port 25. As written above, this is not recommended.

I want to cite parts of Bettercrypto's paper Applied Crypto Hardening on this issue for both master.cf and main.cf. You may also consult it, as you probably have some settings in your main.cf that are hindering proper setup of TLS usage.

main.cf:

# enable opportunistic TLS support in the SMTP server and client
smtpd_tls_security_level = may
smtp_tls_security_level = may
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes

master.cf:

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt

We don't set anything new for TLS on port 25, as the defaults in main.cf are all we need.