After enabling opportunistic TLS delivery via Messaging Gateway's Administration->Configuration->host->SMTP->Advanced Settings page, you notice messages to one or more domains are queued with a queue message indicating that there was a problem negotiating a secure connection with TLS. Delivery attempts for these messages continue to fail until they are eventually bounced.
Whem Messaging Gateway (SMG) is unable to negotiate a TLS session the message is queued for redelivery but subsequent delivery attempts also attempt to secure the connection via TLS. Since a TLS connection can't be esablished, all attempts to deliver messages to that route will fail. This is a design choice to preserve the secure delivery of messages for which the receiving MTA offers the STARTTLS delivery option. Fail over to unencrypted delivery is meant for receiving MTAs that do not offer the STARTTLS delivery option.
This issue has largely been addressed with the SMG 10.6 release. Messages are redelivered in plain text when opportunistic TLS is enabled but the TLS negotiation returns an error. If, however, the remote mail server does not return a TLS error but instead closes the connection this is registered as a failed network connection and the message is queued for redelivery without being marked to bypass TLS.
Currently, the only way to address the issue of routes which offer TLS but do not return a TLS error but instead close the connection is to either specify an alternate route for the affected domains via the Protocols->Domains page or to disable opportunistic TLS.
Configuring an alternate route for a domain
Disabling oppotunistic TLS
Symantec Messaging Gateway