diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 3d23bec2..7f84ade7 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -56,11 +56,15 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 # By default, outgoing TLS is more flexible because
 # 1. not all receiving servers will support TLS,
 # 2. not all will have and up-to-date TLS stack.
-smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
+smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map
+smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
+smtp_host_lookup = dns
+smtp_dns_support_level = dnssec
 
 ###############
 # Virtual
diff --git a/core/postfix/start.py b/core/postfix/start.py
index 4c291061..799d42f5 100755
--- a/core/postfix/start.py
+++ b/core/postfix/start.py
@@ -68,6 +68,12 @@ for map_file in glob.glob("/overrides/*.map"):
     os.system("postmap {}".format(destination))
     os.remove(destination)
 
+if not os.path.exists("/etc/postfix/tls_policy.map.db"):
+    with open("/etc/postfix/tls_policy.map", "w") as f:
+        for domain in ['gmail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'outlook.com', 'comcast.net', 'icloud.com', 'msn.com', 'hotmail.co.uk', 'live.com', 'yahoo.co.in', 'me.com', 'mail.ru', 'cox.net', 'yahoo.co.uk', 'verizon.net', 'ymail.com', 'hotmail.it', 'kw.com', 'yahoo.com.tw', 'mac.com', 'live.se', 'live.nl', 'yahoo.com.br', 'googlemail.com', 'libero.it', 'web.de', 'allstate.com', 'btinternet.com', 'online.no', 'yahoo.com.au', 'live.dk', 'earthlink.net', 'yahoo.fr', 'yahoo.it', 'gmx.de', 'hotmail.fr', 'shawinc.com', 'yahoo.de', 'moe.edu.sg', 'naver.com', 'bigpond.com', 'statefarm.com', 'remax.net', 'rocketmail.com', 'live.no', 'yahoo.ca', 'bigpond.net.au', 'hotmail.se', 'gmx.at', 'live.co.uk', 'mail.com', 'yahoo.in', 'yandex.ru', 'qq.com', 'charter.net', 'indeedemail.com', 'alice.it', 'hotmail.de', 'bluewin.ch', 'optonline.net', 'wp.pl', 'yahoo.es', 'hotmail.no', 'pindotmedia.com', 'orange.fr', 'live.it', 'yahoo.co.id', 'yahoo.no', 'hotmail.es', 'morganstanley.com', 'wellsfargo.com', 'wanadoo.fr', 'facebook.com', 'yahoo.se', 'fema.dhs.gov', 'rogers.com', 'yahoo.com.hk', 'live.com.au', 'nic.in', 'nab.com.au', 'ubs.com', 'shaw.ca', 'umich.edu', 'westpac.com.au', 'yahoo.com.mx', 'yahoo.com.sg', 'farmersagent.com', 'yahoo.dk', 'dhs.gov']:
+            f.write(f'{domain}\tsecure\n')
+    os.system("postmap /etc/postfix/tls_policy.map")
+
 if "RELAYUSER" in os.environ:
     path = "/etc/postfix/sasl_passwd"
     conf.jinja("/conf/sasl_passwd", os.environ, path)
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 1541a345..27f8db7d 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -72,8 +72,8 @@ mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
-by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
-if you are a relayhost that supports TLS.
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
+if you are using a relayhost that supports TLS.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
diff --git a/towncrier/newsfragments/1558.feature b/towncrier/newsfragments/1558.feature
new file mode 100644
index 00000000..5c4ec30f
--- /dev/null
+++ b/towncrier/newsfragments/1558.feature
@@ -0,0 +1 @@
+Make smtp_tls_policy_maps easily configurable