key     = tls_key.pem
cert    = tls_cert.pem
dhparam = dhparams.pem

ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384
minVersion = TLSv1
rejectUnauthorized=false
requestCert=true
honorCipherOrder=true
requireAuthorized[]=2465
requireAuthorized[]=2587

no_starttls_ports[]=2525

[redis]
; options in this block require redis to be available.

; remember when a remote fails STARTTLS. The next time they connect,
;     don't offer STARTTLS option (so message gets delivered).
;     pro: increases mail reliability
;     con: reduces security
; default: false
; disable_for_failed_hosts=true


; no_tls_hosts - disable TLS for servers with broken TLS.
[no_tls_hosts]
; 127.0.0.1
; 192.168.1.1
; 172.16.0.0/16

[outbound]
key     = outbound_tls_key.pem
cert    = outbound_tls_cert.pem
dhparam = dhparams.pem
ciphers = ECDHE-RSA-AES256-GCM-SHA384
minVersion = TLSv1
rejectUnauthorized=false
requestCert=false
honorCipherOrder=false
force_tls_hosts[]=first.example.com
force_tls_hosts[]=second.example.net