diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index 34756d4..4ff2c5e 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -20,7 +20,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-relayhost = [{{ hostvars[relayhost].ipv4_addr }}]:25
+relayhost = [{{ hostvars[relayhost].ipv4_addr }}]:465
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
@@ -34,5 +34,6 @@ smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 
 smtp_tls_CApath = /etc/ssl/certs
-smtp_tls_security_level = may
+smtp_tls_wrappermode = yes
+smtp_tls_security_level = encrypt
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
diff --git a/roles/postfix/templates/nftables/output.d/postfix.conf.j2 b/roles/postfix/templates/nftables/output.d/postfix.conf.j2
index b824197..b01ce21 100644
--- a/roles/postfix/templates/nftables/output.d/postfix.conf.j2
+++ b/roles/postfix/templates/nftables/output.d/postfix.conf.j2
@@ -1,3 +1,3 @@
 # {{ ansible_managed }}
 
-ip daddr {{ hostvars[relayhost].ipv4_addr }} tcp dport { 25, 587 } accept comment "Allow SMTP/submission to relayhost"
+ip daddr {{ hostvars[relayhost].ipv4_addr }} tcp dport { 465 } accept comment "Allow submissions to relayhost"