This option allows you to add a checkbox for enabling blocking emails without TLS and you can also choose the following action once the blocking is done. The checkbox should be enabled by default and the action should be Quarantine by default. When enabling this feature a popup will appear asking you if you wish to whitelist all your internal domains: If you press 'YES' the internal domains will be set on the current domain whitelist section:
Also, this non-TLS block should be present on the whitelist scanning settings (on edit and on scan settings). If one of your whitelists has this option enabled the non-TLS block check will not work ( talking about this particular address that you have whitelisted). If a message is detected without TLS and you have enabled this feature you will see a type on logs called NON-TLS BLOCK.