The industry standard configuration is port 25 for unauthenticated connections used for delivery to local email addresses, and port 587 (and 465 for legacy support) for authenticated connections used for relaying your users' messages to external addresses. Generally port 587 requires authentication, while port 25 doesn't allow it. Similarly, STARTTLS can be required for port 587, while optional for port 25.
Domino doesn't support this configuration. Instead, it has one incoming port for unencrypted and STARTTLS, and a second port for legacy SSL. In addition to basically not being able to use port 587, these two ports also share relay and authentication settings. Domino does have a setting to allow relaying only when authenticated, without which it would be unusable. However, it is currently not possible to require SSL/STARTTLS for relaying mail, without also requiring it for incoming unauthenticated connections.