diff --git a/attributes/default.rb b/attributes/default.rb
index f92a13b..17aa744 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -5,6 +5,8 @@ default[:postfix][:myorigin]   = "$myhostname"
 default[:postfix][:relayhost]  = ""
 default[:postfix][:mail_relay_networks] = "127.0.0.0/8"
 
+default[:postfix][:smtpd_use_tls] = "yes"
+
 default[:postfix][:smtp_sasl_auth_enable] = "no"
 default[:postfix][:smtp_sasl_password_maps]    = "hash:/etc/postfix/sasl_passwd"
 default[:postfix][:smtp_sasl_security_options] = "noanonymous"
diff --git a/templates/default/main.cf.erb b/templates/default/main.cf.erb
index 7d91afc..935f22c 100644
--- a/templates/default/main.cf.erb
+++ b/templates/default/main.cf.erb
@@ -5,10 +5,12 @@
 
 biff = no
 append_dot_mydomain = no
+smtpd_use_tls = <%= node[:postfix][:smtpd_use_tls] %>
+<% if node[:postfix][:smtpd_use_tls] == "yes" -%>
 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
+<% end -%>
 smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
 smtp_sasl_auth_enable = <%= node[:postfix][:smtp_sasl_auth_enable] %>
 <% if node[:postfix][:smtp_sasl_auth_enable] == "yes" -%>