Now that postfix has CAs we can switch to secure

encrypt means "ensure we have some confidentiality" whereas secure means
"ensure we have confidentiality while talking to the right peer"
(protects against passive or/and active MITM attacks)

docs/configuration.rst

@@ -70,7 +70,7 @@ mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
-by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt``. This setting is highly recommended
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
 if you are a relayhost that supports TLS.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed