diff --git a/src/mailsrv/assets/postfix/main.cf b/src/mailsrv/assets/postfix/main.cf
index e9c4f82..33cd6c6 100644
--- a/src/mailsrv/assets/postfix/main.cf
+++ b/src/mailsrv/assets/postfix/main.cf
@@ -8,7 +8,7 @@ myorigin = $mydomain
 # what host to use as a relay
 relayhost =
 # hosts to forward mail to
-relay_domains =
+#relay_domains =
 # only forward mail from local host
 mynetworks_style = host
 # domains to consider primary (local) endpoints
@@ -37,17 +37,10 @@ dovecot_destination_recipient_limit = 1
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
-smtpd_tls_security_level=encrypt
+smtpd_tls_security_level=may
 # where to find certs
 smtpd_tls_cert_file=/vol/ssl/fullchain.pem
 smtpd_tls_key_file=/vol/ssl/privkey.pem
-# domain to consider local
-smtpd_sasl_local_domain = $myhostname
-# security settings
-smtpd_client_restrictions = permit_sasl_authenticated, reject
-smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, permit_sasl_authenticated, reject
-#smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
-smtpd_sasl_security_options = noanonymous
 # what to use for sasl
 smtpd_sasl_type = dovecot
 # Can be an absolute path, or relative to $queue_directory
@@ -55,8 +48,27 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 # and the common settings to enable SASL:
 smtpd_sasl_auth_enable = yes
-# With Postfix version before 2.10, use smtpd_recipient_restrictions
+
+### Security ###
+# these settings apply to BOTH authenticated and unauthenticated mail
+# for security settings for only authenticated mail, use options in master.cf
+smtpd_delay_reject = yes
+smtpd_helo_required = yes
+# reject hosts with malformed identifiers
+smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
+# reject hosts that improperly use SMTP commands
+smtpd_data_restrictions = reject_unauth_pipelining
+# reject unauthorized relay attempts
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
+# reject mail from IPs listed in spam list
+smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+#        reject_rbl_client zen.spamhaus.org,
+#        reject_rhsbl_reverse_client dbl.spamhaus.org,
+#        reject_rhsbl_helo dbl.spamhaus.org,
+#        reject_rhsbl_sender dbl.spamhaus.org,
+        permit
 
 ### Misc ###
 # whether to send "new mail" notifications to users
diff --git a/src/mailsrv/assets/postfix/master.cf b/src/mailsrv/assets/postfix/master.cf
index b8927f7..a95bb63 100644
--- a/src/mailsrv/assets/postfix/master.cf
+++ b/src/mailsrv/assets/postfix/master.cf
@@ -11,6 +11,10 @@
 # ==========================================================================
 smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       -       smtpd
+  -o smtpd_sasl_local_domain=$myhostname
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_security_options=noanonymous
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 
 # Local services
 # ==========================================================================