I found a way to make my security scan happy. I added the following line to /etc/postfix/main.cf:
tls_preempt_cipherlist = yes
By having the server select the best preference, rather than the client, it looks like it starts with the highest level of security first.