diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf
index 49bd3f7b..4300ebe1 100644
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@@ -27,9 +27,9 @@ relayhost = {{ RELAYHOST }}
 ###############
 
 # Only one key/certificate pair is used, SNI not being supported by all
-# services and not a strong requirement.
-smtpd_use_tls = yes
-smtpd_tls_security_level = encrypt
+# services and not a strong requirement. Also, TLS is enforced for submission
+# and smtps in master.cf.
+smtpd_tls_security_level = may
 smtpd_tls_cert_file=/certs/cert.pem
 smtpd_tls_key_file=/certs/key.pem
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf
index 3a338a25..7ff7338e 100644
--- a/postfix/conf/master.cf
+++ b/postfix/conf/master.cf
@@ -4,11 +4,11 @@
 # Exposed SMTP services
 smtp      inet  n       -       n       -       -       smtpd
 submission inet n       -       n       -       -       smtpd
-  -o smtpd_enforce_tls=yes
+  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 smtps     inet  n       -       n       -       -       smtpd
-  -o smtpd_enforce_tls=yes
+  -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject