diff --git a/roles/base/files/postfix/main.cf/main.cf.gateway b/roles/base/files/postfix/main.cf/main.cf.gateway
index 1493832d61..413a9a7311 100644
--- a/roles/base/files/postfix/main.cf/main.cf.gateway
+++ b/roles/base/files/postfix/main.cf/main.cf.gateway
@@ -747,11 +747,6 @@ smtp_tls_CApath = /etc/pki/tls/certs
 #
 smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
 
-# Use TLS if this is supported by the remote SMTP server, otherwise use
-# plaintext (opportunistic TLS outbound).
-#
-smtp_tls_security_level = may
-
 ## TLS
 # enable opportunistic TLS support in the SMTP server
 smtpd_use_tls = yes
@@ -772,7 +767,6 @@ smtpd_tls_eecdh_grade = ultra
 smtp_tls_fingerprint_digest=sha1
 smtp_tls_note_starttls_offer = yes
 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
-smtp_tls_security_level = may
 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
 smtp_tls_mandatory_ciphers = high
 smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
@@ -780,10 +774,11 @@ smtp_tls_loglevel = 1
 smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt
 smtp_tls_key_file = /etc/pki/tls/private/gateway.key
 smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
-smtp_tls_connection_reuse = yes
-smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com
+smtp_tls_connection_reuse = no
+smtp_connection_cache_destinations = mx2.redhat.com,gmail.com,google.com,scrye.com,redhat.com
 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
 smtp_tls_session_cache_timeout = 3600s
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy                                                 
 ## End smtp_tls
 ## General TLS
 tls_random_source                       = dev:/dev/urandom
diff --git a/roles/base/files/postfix/tls_policy.gateway b/roles/base/files/postfix/tls_policy.gateway
new file mode 100644
index 0000000000..92d4dea51c
--- /dev/null
+++ b/roles/base/files/postfix/tls_policy.gateway
@@ -0,0 +1 @@
+redhat.com  may
diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
index 63708ba49a..2fcee58671 100644
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@@ -30,6 +30,21 @@
   - config
   - base
 
+- name: install /etc/postfix/tls_policy file
+  copy: src={{ item }} dest=/etc/postfix/tls_policy mode=0644
+  with_first_found:
+    - "postfix/master.cf/master.cf.{{ inventory_hostname }}"
+    - "postfix/master.cf/master.cf.{{ host_group }}"
+    - "postfix/master.cf/master.cf.{{ postfix_group }}"
+    - "postfix/master.cf/master.cf"
+  when: inventory_hostname.startswith(('bastion'))
+  notify:
+  - restart postfix
+  tags:
+  - postfix
+  - config
+  - base
+
 - name: Deploy sender_access file
   copy: src="{{private}}/files/smtpd/sender_access.{{postfix_group}}" dest="/etc/postfix/sender_access"
   when: postfix_group == "smtp-mm" or postfix_group == "mailman" or postfix_group == "gateway"