If you can deploy another virtual server, I recommend you install a copy of CentOS 6.4 and install sendmail on that. I don't usually have to do anything to get it to use TLS, though by default it uses a "snakeoil" cert in /etc/pki/tls. You can replace that with your own certificate if you purhased one.
On the CentOS platform, I routinely install the MailScanner package that includes MailScanner itself, SpamAssassin, and ClamAV. The default configuration scans every message for viruses with ClamAV and for spam with SpamAssassin. The first are quarantined, while spam is quarantined or tagged and delivered depending on a message's SpamAssassin score.
My server shows log entries like these when it sends a message to a remote site that uses TLS:
The failed verification comes from using a certificate not signed by a trusted root.
Jul 2 19:04:20 xxxxx sendmail: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
However I don't see any inbound mail that uses TLS. All our inbound mail arrives via ESMTP. Here, for instance, is an inbound message from GMail:
Are you looking to configure sendmail to force remote sending servers to prefer TLS? If so, this looks like a good starting point.
Jul 2 08:10:11 xxxxx sendmail: r62CAB0K030723: from=<email@example.com>, size=1783, class=0, nrcpts=1, msgid=CAEpVZbSPRgPEAURHyT=5QYhzin7A6_tuGfLxKq+Xc9VqcsSCFA@mail.gmail.com>, proto=ESMTP, daemon=MTA, relay=mail-vb0-f49.google.com [184.108.40.206]