If all your actual email is encrypted then by definition spam is the unencrypted stuff. A long time ago in a different galaxy I built a PGP MTA (based on sendmail at the time) which only forwarded mail that was encrypted, and as expected it was spam free, all though these days spammers just might go to the trouble of sending it encrypted if they thought it would get through.
I'm guessing that people who only accept encrypted mail are such a small minority, you're probably safe from most spammers if you do this.
People who target your company and employees specifically, maybe not. But even this could be made more difficult for spammers by only allowing access to your public key directory from trusted IP ranges.
It's also a great idea from the standpoint of giving an encryption policy teeth. I'm thinking of a company where the official line is "We encrypt all our email," but then some IT screwup results in having half the company sending each other cleartext email for several quarters before anybody notices.
If your mailservers reject unencrypted mail, the above scenario can't happen, because presumably people will notice when everyone's mail starts getting discarded, and it'll be fixed very quickly.
Even just setting START TLS REQUIRED might solve your spam problem, as long as only a tiny minority of people did it. That would have the added benefit of protecting you from Yahoo Mail users, the FBI, and such.
At this point, I'd consider NOT using START TLS for your MTA to be nearly as irresponsible as not using ssh instead of telnet/rsh, or not using secure passwords. It correctly pushes all the pain onto the sysadmin (and a very tiny amount of pain), rather than end users.
Do you know if a successful response to a START TLS command endured end-to-end TLS secured mail transport?
I kinda doubt it - if for some reason your outgoing mail server connects to one of my secondary/relaying MX servers, I don't think there's any way for you to ensure that server bothers trying to set up a TLS session when it relays my mail(which I guess is mostly my problem/fault) - and similarly, if your ISP requires you to send mail via their SMTP servers (blocking port 25 isn't uncommon here) - I don't think you've got any say in whether or not that server requires TLS?
(I know - I really should go and look this up myself…)
Usually people do not block 465 or 587 (if they do, they really really suck, and you need to VPN through that network anyway). For outgoing mail, you just do STARTTLS directly to your own smarthost over those ports.
