diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 429e778c..4a673b71 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -31,6 +31,7 @@ DEFAULT_CONFIG = {
     'HOSTNAMES': 'mail.mailu.io,alternative.mailu.io,yetanother.mailu.io',
     'POSTMASTER': 'postmaster',
     'TLS_FLAVOR': 'cert',
+    'INBOUND_TLS_ENFORCE': False,
     'AUTH_RATELIMIT': '10/minute;1000/hour',
     'AUTH_RATELIMIT_SUBNET': True,
     'DISABLE_STATISTICS': False,
diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index f9ebbf13..600e438b 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -17,6 +17,9 @@ STATUSES = {
         "smtp": "535 5.7.8",
         "pop3": "-ERR Authentication failed"
     }),
+    "encryption": ("Must issue a STARTTLS command first", {
+        "smtp": "530 5.7.0"
+    }),
 }
 
 def check_credentials(user, password, ip, protocol=None):
@@ -42,12 +45,27 @@ def handle_authentication(headers):
     protocol = headers["Auth-Protocol"]
     # Incoming mail, no authentication
     if method == "none" and protocol == "smtp":
-        server, port = get_server(headers["Auth-Protocol"], False)
-        return {
-            "Auth-Status": "OK",
-            "Auth-Server": server,
-            "Auth-Port": port
-        }
+        server, port = get_server(protocol, False)
+        if app.config["INBOUND_TLS_ENFORCE"]:
+            if "Auth-SSL" in headers and headers["Auth-SSL"] == "on":
+                return {
+                    "Auth-Status": "OK",
+                    "Auth-Server": server,
+                    "Auth-Port": port
+                }
+            else:
+                status, code = get_status(protocol, "encryption")
+                return {
+                    "Auth-Status": status,
+                    "Auth-Error-Code" : code,
+                    "Auth-Wait": 0
+                }
+        else:
+            return {
+                "Auth-Status": "OK",
+                "Auth-Server": server,
+                "Auth-Port": port
+            }
     # Authenticated user
     elif method == "plain":
         server, port = get_server(headers["Auth-Protocol"], True)
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 26bdb024..8e3a091e 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -73,6 +73,13 @@ By default postfix uses "opportunistic TLS" for outbound mail. This can be chang
 by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
 if you are a relayhost that supports TLS.
 
+Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
+by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
+internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
+support or e.g. mismatching TLS versions to deliver emails to Mailu.
+
+.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
+
 .. _fetchmail:
 
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
diff --git a/towncrier/newsfragments/1610.feature b/towncrier/newsfragments/1610.feature
new file mode 100644
index 00000000..b56ac332
--- /dev/null
+++ b/towncrier/newsfragments/1610.feature
@@ -0,0 +1 @@
+Add possibility to enforce inbound STARTTLS via INBOUND_TLS_LEVEL=true