Ah yes you are correct.
Because you changed the global postfix setting for smtp_tls_security_level
and smtp_tls_wrappermode
it means that it will be used for all smtp connections. What you should do it to only configure this for the smtp service used for outgoing email but not for the smtp connector which sends to the local back-end.
in /etc/postfix/master.cf
:
smtp unix - - n - - smtp
-o smtp_tls_security_level = encrypt
-o smtp_tls_wrappermode = yes
Now email sent via smtp to external should be forced to encrypt but email sent to the back-end (via the djigzo service) should not be TLS encrypted.