mail-transfer-agents are configured fail open by default. There is nothing about SMTP that requires fail open. You can configure postfix to require TLS for all destinations or for specific domains if you want to:

http://www.postfix.org/TLS_README.html#client_tls_encrypt

Depending on your environment you could also do the same thing and require DANE:

http://www.postfix.org/TLS_README.html#client_tls_dane

I am sure exim has an equivalent setting (maybe not for DANE).