diff --git a/roles/base/files/postfix/main.cf/main.cf.smtp-mm b/roles/base/files/postfix/main.cf/main.cf.smtp-mm
index 43fd3f7772..2ab60e033d 100644
--- a/roles/base/files/postfix/main.cf/main.cf.smtp-mm
+++ b/roles/base/files/postfix/main.cf/main.cf.smtp-mm
@@ -699,3 +699,40 @@ inet_protocols = all
 transport_maps = hash:/etc/postfix/transport
 
 message_size_limit = 20971520
+
+## TLS
+# enable opportunistic TLS support in the SMTP server
+smtpd_use_tls = yes
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, RC4
+#tls_ssl_options = no_ticket, no_compression
+
+smtpd_tls_loglevel = 1
+smtpd_tls_cert_file = /etc/pki/tls/certs/gateway.crt
+smtpd_tls_key_file =  /etc/pki/tls/private/gateway.key
+smtpd_tls_CAfile  =   /etc/pki/tls/certs/ca-bundle.crt
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_tls_session_cache_database        = btree:${queue_directory}/smtpd_scache
+smtpd_tls_received_header               = yes
+smtpd_tls_ask_ccert                     = yes
+smtpd_tls_received_header = yes
+tls_random_source                       = dev:/dev/urandom
+smtpd_tls_eecdh_grade = ultra
+tls_eecdh_strong_curve = prime256v1
+tls_eecdh_ultra_curve = secp384r1
+# TLS end
+#TLS Client
+smtp_tls_fingerprint_digest=sha1
+smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+smtp_tls_security_level = may
+smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
+smtp_tls_mandatory_ciphers = high
+smtp_tls_mandatory_exclude_ciphers= aNULL, MD5, RC4
+smtp_tls_loglevel = 1
+smtp_tls_cert_file = /etc/pki/tls/certs/gateway.crt
+smtp_tls_key_file = /etc/pki/tls/private/gateway.key
+smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt
diff --git a/roles/base/tasks/postfix.yml b/roles/base/tasks/postfix.yml
index cb20baec59..453d339218 100644
--- a/roles/base/tasks/postfix.yml
+++ b/roles/base/tasks/postfix.yml
@@ -49,7 +49,7 @@
 
 - name: create /etc/postfix/tls_policy
   copy: src="postfix/tls_policy" dest=/etc/postfix/tls_policy
-  when: inventory_hostname.startswith(('bastion'))
+  when: inventory_hostname.startswith(('bastion','smtp-mm'))
   notify:
   - rebuild postfix tls_policy
   - restart postfix
@@ -63,7 +63,7 @@
     owner=root
     group=root
     mode=0644
-  when: inventory_hostname.startswith(('bastion'))
+  when: inventory_hostname.startswith(('bastion','smtp-mm'))
   notify:
   - restart postfix
   tags:
@@ -76,7 +76,7 @@
     owner=root
     group=postfix
     mode=0640
-  when: inventory_hostname.startswith(('bastion'))
+  when: inventory_hostname.startswith(('bastion','smtp-mm'))
   notify:
   - restart postfix
   tags: