diff --git a/pillar.example b/pillar.example
index c537262..d00faa3 100644
--- a/pillar.example
+++ b/pillar.example
@@ -156,6 +156,7 @@ postfix:
     smtp_use_tls: 'yes'
     smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
     smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
+    smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
 
     smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
     sender_canonical_maps: hash:/etc/postfix/sender_canonical
@@ -165,6 +166,10 @@ postfix:
   transport:
     DOMAIN_NAME: ':[IP_ADDRESS]'
 
+  tls_policy:
+    example.com: encrypt
+    .example.com: encrypt
+
   vmail:
     user: postfix_user
     password: DB_PASSWD
diff --git a/postfix/config.sls b/postfix/config.sls
index 94a1405..97aa6d5 100644
--- a/postfix/config.sls
+++ b/postfix/config.sls
@@ -101,6 +101,27 @@ run-postmap:
       - file: {{ postfix.config_path }}/transport
 {% endif %}
 
+{% if 'tls_policy' in pillar.get('postfix', '') %}
+{{ postfix.config_path }}/tls_policy:
+  file.managed:
+    - source: salt://postfix/files/tls_policy
+    - user: root
+    - group: {{ postfix.root_grp }}
+    - mode: 644
+    - require:
+      - pkg: postfix
+    - watch_in:
+      - service: postfix
+    - template: jinja
+
+run-postmap-tls-policy:
+  cmd.wait:
+    - name: {{ postfix.xbin_prefix }}/sbin/postmap {{ postfix.config_path }}/tls_policy
+    - cwd: /
+    - watch:
+      - file: {{ postfix.config_path }}/tls_policy
+{% endif %}
+
 {%- for domain in salt['pillar.get']('postfix:certificates', {}).keys() %}
 
 postfix_{{ domain }}_ssl_certificate:
diff --git a/postfix/files/tls_policy b/postfix/files/tls_policy
new file mode 100644
index 0000000..8830c22
--- /dev/null
+++ b/postfix/files/tls_policy
@@ -0,0 +1,17 @@
+#
+# This file is managed by salt
+#
+
+{% set config = salt['pillar.get']('postfix:tls_policy', {}) -%}
+{% macro set_parameter(parameter, default=None) -%}
+{% set value = config.get(parameter, default) -%}
+{% if value is not none -%}
+{{ parameter }} {{ value }}
+{% endif -%}
+{% endmacro -%}
+
+{# Accept arbitrary parameters -#}
+{% for parameter in config -%}
+{{ set_parameter(parameter) }}
+{% endfor -%}
+