diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 43ed2df0..72828ea6 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -52,9 +52,10 @@ tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:
 tls_preempt_cipherlist = yes
 tls_ssl_options = NO_COMPRESSION
 
-# Outgoing TLS is more flexible because 1. not all receiving servers will
-# support TLS, 2. not all will have and up-to-date TLS stack.
-smtp_tls_security_level = may
+# By default, outgoing TLS is more flexible because
+# 1. not all receiving servers will support TLS,
+# 2. not all will have and up-to-date TLS stack.
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 292d4303..20df3767 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -69,6 +69,10 @@ The ``RELAYHOST`` is an optional address of a mail server relaying all outgoing
 mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
+By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
+if you are a relayhost that supports TLS.
+
 The ``FETCHMAIL_DELAY`` is a delay (in seconds) for the fetchmail service to
 go and fetch new email if available. Do not use too short delays if you do not
 want to be blacklisted by external services, but not too long delays if you
diff --git a/setup/flavors/compose/mailu.env b/setup/flavors/compose/mailu.env
index 78ecce72..b3cef48d 100644
--- a/setup/flavors/compose/mailu.env
+++ b/setup/flavors/compose/mailu.env
@@ -76,8 +76,8 @@ FETCHMAIL_DELAY={{ fetchmail_delay or '600' }}
 RECIPIENT_DELIMITER={{ recipient_delimiter or '+' }}
 
 # DMARC rua and ruf email
-DMARC_RUA={{ dmarc_rua or 'admin' }}
-DMARC_RUF={{ dmarc_ruf or 'admin' }}
+DMARC_RUA={{ dmarc_rua or postmaster }}
+DMARC_RUF={{ dmarc_ruf or postmaster }}
 
 # Welcome email, enable and set a topic and body if you wish to send welcome
 # emails to all users.
diff --git a/setup/flavors/stack/docker-compose.yml b/setup/flavors/stack/docker-compose.yml
index 6ae0f103..66731805 100644
--- a/setup/flavors/stack/docker-compose.yml
+++ b/setup/flavors/stack/docker-compose.yml
@@ -43,6 +43,8 @@ services:
       - "{{ root }}/dkim:/dkim"
     deploy:
       replicas: {{ admin_replicas }}
+    healthcheck:
+      disable: true
 
   imap:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-{{ version }}}
@@ -52,6 +54,8 @@ services:
       - "{{ root }}/overrides:/overrides"
     deploy:
       replicas: {{ imap_replicas }}
+    healthcheck:
+      disable: true
 
   smtp:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-{{ version }}}
@@ -61,6 +65,8 @@ services:
       - "{{ root }}/overrides:/overrides"
     deploy:
       replicas: {{ smtp_replicas }}
+    healthcheck:
+      disable: true
 
   antispam:
     image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
@@ -71,6 +77,8 @@ services:
       - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
 
   # Optional services
   {% if antivirus_enabled %}
@@ -81,6 +89,8 @@ services:
       - "{{ root }}/filter:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if webdav_enabled %}
@@ -91,6 +101,8 @@ services:
       - "{{ root }}/dav:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if fetchmail_enabled %}
@@ -101,6 +113,8 @@ services:
       - "{{ root }}/data:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if webmail_type != 'none' %}
@@ -111,6 +125,8 @@ services:
       - "{{ root }}/webmail:/data"
     deploy:
       replicas: 1
+    healthcheck:
+      disable: true
   {% endif %}
 
   {% if db_flavor == 'postgresql' and postgresql == 'internal' %}
@@ -119,6 +135,8 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/data/psql_backup:/backup"
+    healthcheck:
+      disable: true
   {% endif %}
 
 networks:
diff --git a/setup/templates/steps/stack/04_replicas.html b/setup/templates/steps/stack/04_replicas.html
index 785125cc..9f6de061 100644
--- a/setup/templates/steps/stack/04_replicas.html
+++ b/setup/templates/steps/stack/04_replicas.html
@@ -22,7 +22,7 @@
 <div class="form-group">
   <input class="form-control" type="number" name=smtp_replicas min="1" required value="1"
   		style="width: 6%; display: inline;">
-  <label>SMPT</label>
+  <label>SMTP</label>
 </div>
 
-{% endcall %}
\ No newline at end of file
+{% endcall %}
diff --git a/towncrier/1478.feature b/towncrier/1478.feature
new file mode 100644
index 00000000..fcfe6ea2
--- /dev/null
+++ b/towncrier/1478.feature
@@ -0,0 +1 @@
+Allow to enforce TLS for outbound mail by setting OUTBOUND_TLS_LEVEL=encrypt for postfix.
\ No newline at end of file
diff --git a/towncrier/newsfragments/1289.bugfix b/towncrier/newsfragments/1289.bugfix
new file mode 100644
index 00000000..8dc41dea
--- /dev/null
+++ b/towncrier/newsfragments/1289.bugfix
@@ -0,0 +1 @@
+Disable Health checks on swarm mode
diff --git a/towncrier/newsfragments/1463.bugfix b/towncrier/newsfragments/1463.bugfix
new file mode 100644
index 00000000..37423bfa
--- /dev/null
+++ b/towncrier/newsfragments/1463.bugfix
@@ -0,0 +1 @@
+Defining POSTMASTER through setup tool apply also to DMARC_RUA and DMARC_RUF settings