Do not enforce TLS on the default SMTP port, related to #45

postfix/conf/main.cf

@@ -27,9 +27,9 @@ relayhost = {{ RELAYHOST }}
 ###############
 
 # Only one key/certificate pair is used, SNI not being supported by all
-# services and not a strong requirement.
-smtpd_use_tls = yes
-smtpd_tls_security_level = encrypt
+# services and not a strong requirement. Also, TLS is enforced for submission
+# and smtps in master.cf.
+smtpd_tls_security_level = may
 smtpd_tls_cert_file=/certs/cert.pem
 smtpd_tls_key_file=/certs/key.pem
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

postfix/conf/master.cf

@@ -4,11 +4,11 @@
 # Exposed SMTP services
 smtp      inet  n       -       n       -       -       smtpd
 submission inet n       -       n       -       -       smtpd
-  -o smtpd_enforce_tls=yes
+  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 smtps     inet  n       -       n       -       -       smtpd
-  -o smtpd_enforce_tls=yes
+  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject