Redirect OR warn (during initial negotiation) SMTP submitters to use TLS on port 587 - leave 25 explicitly blocked by firewall for better security

I've managed to find a lot of closely related information, but not an answer truly addressing my question.

I am expanding on my homelab server, and have decided to use a small publicly hosted server as a simple proxy. My homelab will operate Mailcow and I want to use only port 587 for secure SMTP, but I want to make sure my setup doesn't appear broken, off, or somehow anomalous to say - a deliverability scan or blacklist/greylist crawler or email client/etc.

So I will have port 25 explicitly banned by IPtables to prevent resource drain from fraudulent access attempts, but I don't want to look like the server does not have SMTP available - but rather that secure SMTP is required on port 587.

Is there a way to indicate that to a requesting client/scanner/MTS server that SMTP requires TLS on port 587, should this be handled with a redirect like a webserver from 80->443? I don't want to, say, deliver a response with my webserver or anything like that, I'm hoping there's somehow some iptables config or something that naturally integrates at layer 2 or 3 for this so I can leave that port closed in IPtables, but not appear just down on SMTP.

I'm not sure that even makes sense or is necessary but I want external access to be normal through public DNS without any possible shadow banning or reputation management lists seeing me as suspicious and possibly prompting some (mostly web based) clients to flag or worse drop traffic from my domain/IP, or make a client think it can't make SMTP submissions.

Am I nuts or is there a way to do this/is this a sensible concern? Thanks in advance.

EDIT: I forgot to mention I am using HAproxy as my host's edge - so I can just redirect 25->587 and be done if that make's the most sense, I was just hoping to leave 25 blocked off entirely as botnets and DDOS/etc will then be transferred as well...

Is there a way to indicate that to a requesting client/scanner/MTS server that SMTP requires TLS on port 587

Assuming MTS is a typographic error and you meant MTA.

587 is not secure SMTP, 587 is Submission. Submission is for user agents, not for transfer agents, the only way to secure mail transfer is STARTTLS on port 25. port 465 is SubmissionS (submission with implicit tls) - but again can't be used for transfer.

You can require starttls using DANE or MTA-STS (you should probably deploy both) DANE is going to need DNSSEC at your DNS provider and MTA-STS a HTTPS server.

So no you can't close port 25 and still act as a MX for a domain.

As for user agents they usually probe a number of popular ports (465,587,25 etc) until they see something they like during setup, so closing 25 will not hurt them significantly.

If you're getting lots of garbage traffic on port 25 consider using something like fail2ban

I am using HAproxy as my host's edge

That's going to make firewall rules harder to write, but I think there's a netfilter plugin of some sort that makes haproxy transparent - so possibly that could work with fail2ban,.