Wow, this was a poor change.
enable_starttls will REQUIRE the use of starttls, but enable_starttls_auto is opportunistic - it’ll only negotiate tls if it’s offered.
And if the mail server was connected to via initial TLS, it won’t offer starttls:
○ → openssl s_client -connect localhost:5587 -starttls smtp
250 CHUNKING
EHLO localhost
250-testmailrelay
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
why in the world would they have done that? 
The difficulty here is that we should never have offered this configuration in the first place, it should have been something like:
DISCOURSE_SMTP_TLS_MODE = starttls_auto # [ none | starttls | starttls_auto (default) | tls ]