This is normal operation of email scanning of encrypted connections. Symantec Endpoint Protection only monitors port 25 for SMTP traffic and port 110 for POP3 traffic. Symantec Endpoint Protection's email feature is designed to scan readable email for threats. This is done as a client of our email proxy tool which redirects ports 25 and 110. This type of redirection and interception of mail is exactly what secure email protocols are designed to protect against. As a result, Symantec Endpoint Protection can only intercept and scan unsecured standard SMTP and POP3 traffic. Encrypted email cannot be decrypted and the Endpoint Protection client will not have access to the attachments to scan for threats.
The advanced options "Allow encrypted POP3 connections" and " Allow encrypted SMTP connections" are to prevent the email proxy from interfering with secure email traffic over monitored ports 25 and 110. They are not designed to disable secure email transaction. If desired, this is more properly the role of the Network Threat Protection firewall.