In the majority of cases, TLS for SMTP (delivery between MTAs) is still trivially downgradeable. So they could presumably downgrade and read SMTP traffic that's going between MTAs in Norway and MTAs outside Norway.
Of course, as long as you're one of the parties involved in the SMTP communication.
The problem is that even though you're trivially able to detect that TLS is not in use, the vast majority of mail providers won't act on that knowledge by refusing to send mail unencrypted (except maybe for some hosts explicitly whitelisted for that approach).
Why? Too many broken TLS setups, historically. Might be better now, I vaguely remember some push towards that from the big providers.
From one party's perspective, it may just look like the other party does not support TLS. Without another point of reference, MTAs can't tell the difference between a lack of TLS support and a downgrade attack.
Alternatively, the government could also conduct a TLS certificate man-in-the-middle, which would work in most cases since almost no MTAs validate certificates outside of occasionally trying DANE (a spec for pinning certs over DNSSEC).