diff --git a/library/roles/postfix/defaults/main.yml b/library/roles/postfix/defaults/main.yml
index e8def68..cd19e64 100644
--- a/library/roles/postfix/defaults/main.yml
+++ b/library/roles/postfix/defaults/main.yml
@@ -27,7 +27,7 @@ postfix_tls_dhparam_file: /etc/postfix/dhparam.pem
 # Accepted values: none, may, encrypt
 postfix_smtpd_tls_security_level: encrypt
 # Accepted values: none, may, encrypt, fingerprint, verify, secure. And from 2.11: dane, dane-only
-postfix_smtp_tls_security_level: encrypt
+postfix_smtp_tls_security_level: may
 postfix_use_sasl_auth: True
 postfix_smtp_sasl_auth_enable: "yes"
 postfix_smtp_create_relay_user: True
diff --git a/library/roles/postfix/templates/master.cf.j2 b/library/roles/postfix/templates/master.cf.j2
index ed6d5a2..12b71d1 100644
--- a/library/roles/postfix/templates/master.cf.j2
+++ b/library/roles/postfix/templates/master.cf.j2
@@ -16,7 +16,7 @@ smtp      inet  n       -       n       -       -       smtpd
 {% if postfix_smtpd_server %}
 submission inet n       -       n       -       -       smtpd
   -o syslog_name=postfix/submission
-  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}
 {% if postfix_use_letsencrypt %}
   -o smtpd_tls_cert_file={{ letsencrypt_acme_certs_dir }}/cert
   -o smtpd_tls_key_file={{ letsencrypt_acme_certs_dir }}/privkey