Postfix STARTTLS works in LAN but not externally

Question

if I connect in LAN on port 25 to my mail server, it offers STARTTLS

telnet mailserver.com 25
Trying 192.168.0.x...
Connected to mailserver.com
Escape character is '^]'.
220 mailserver.com ESMTP Postfix
ehlo bla
250-mailserver.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

If I try the same from an external source I do not get the STARTTLS offer:

telnet mailserver.com 25
Trying xx.xxx.xxx.xx...
Connected to mailserver.com
Escape character is '^]'.
220 mailserver.com ESMTP Postfix
ehlo bla
250-mailserver.com
250-SIZE 10240000
250-VRFY
250 DSN

The strange thing is, though, that it just works fine from outside via submission (587) port.

my postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mailserver.com
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unverified_recipient, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/bla/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/bla/privkey.pem
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport_maps, $relay_domains
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains

and my master.cf:

smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
-o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
smtps     inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

So it seems that STARTTLS on port 25 is only offered to internal IP addresse while on port 587 it is also offered on external ones. My goal is to allow STARTTLS also on port 25 for external IPs. Where is my mistake?

Thank you very much in advance Cheers