On the ASA you allow tls in esmtp inspection, but not actually block it. The inspection will block it by default though.
So you have 2 options:
- enable inspection
- have an IPS or router device with FPM match on the STARTTLS command payload to block it (you need to check where that is) in order to callibrate the method).
I hope it helps.
PK