Demanding SASL authentication on port 25 rejects all of my incomming email

I am using this chunk of code inside /etc/postfix/master.cf to force people to securely "subimt" email through port 465 which uses protocol SMTPS. SMTPS supports mandatory TLS which I use to demand from clients to 1st "encrypt" connection using mandatory TLS and 2nd "authenticate" using SASL mechanism.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
#
  -o smtpd_use_tls=yes
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
  -o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
  -o smtpd_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
  -o smtpd_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
#
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=smtpd
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#

This works as expected. It actualy works great!

I wanted to secure the port 25 in the same way but it looks like it is imposible as this port has two inbound functionalities i.e. "submission" and "relay recieving" (it is stupid to prolong the life of this port that we should get rid of ASAP).

On port 25 there is only protocol SMTP which does not support mandatory TLS! So for inbound email i.e. "submission" and "relay receiving" all that can be enabled is oportunistic TLS (can be hacked). So all I can enable is a bad "encryption" which can later be enhanced using DANE (can't be hacked easily).

So for port 25 I have hopes for my "encryption" to be sufficient at some point while I don't understand how to set up SASL "authentication"!

I tried using this chunk of code in /etc/postfix/master.cf where 1st part of the code sets up oportunistic TLS the second part of code should set up SASL "authentication".

smtp      inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtp
#
  -o smtpd_use_tls=yes
  -o smtpd_tls_security_level=may
  -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_tls_cert_file=/etc/ssl/certs/server-rsa.cert
  -o smtpd_tls_key_file=/etc/ssl/private/server-rsa.key
  -o smtpd_tls_eccert_file=/etc/ssl/certs/server-ecdsa.cert
  -o smtpd_tls_eckey_file=/etc/ssl/private/server-ecdsa.key
#
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=smtpd
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
#

Unfortunately, I discovered that line:

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

on one hand forces clients, who want to "submit" email through port 25, to "authenticate" and on the other hand rejects all the "relay received" email arriving from other MTA!

So how can I achieve both:

• preventing anyone from the internet to "submit" email using port 25 on my server.
• "relay receive" all the email comming from other MTA to my port 25.