Only enable STARTTLS for public mail servers
STARTTLS
is only enabled if the mail server has a public IP address
and implicit TLS is not enabled.
Internal mail servers usually use self-signed certificates which cannot be verified without a trust store. Implicit TLS can be used if encryption is required.