diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..8329cf5
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,16 @@
+postfix:
+  ssl:
+    key: /etc/ssl/private/ssl-cert-snakeoil.key
+    cert: /etc/ssl/certs/ssl-cert-snakeoil.pem
+    outgoing_security_level: may
+    incoming_security_level: may
+  enable_opendkim: false
+  message_size_limit: 20480000
+  relay_transport: smtp
+  relayhost: ''
+  relay_domains: []
+  sender_dependent_relayhost_maps: ''
+  virtual_alias_maps: ''
+  virtual_mailbox_domains: []
+  mynetworks: []
+  mydestination: []
diff --git a/templates/main.cf.j2 b/templates/main.cf.j2
index 024930a..5dcc5d1 100644
--- a/templates/main.cf.j2
+++ b/templates/main.cf.j2
@@ -20,11 +20,14 @@ readme_directory = no
 compatibility_level = 2
 
 # TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-smtpd_use_tls=yes
+smtpd_tls_cert_file = {{ postfix.ssl.cert }}
+smtpd_tls_key_file = {{ postfix.ssl.key }}
+smtpd_use_tls = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_security_level = {{ postfix.ssl.incoming_security_level }}
+smtpd_tls_auth_only = yes
+smtp_tls_security_level = {{ postfix.ssl.outgoing_security_level }}
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
@@ -34,25 +37,25 @@ smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_una
 myhostname = {{ inventory_hostname }}
 mydomain = {{ postfix.mydomain|d(ansible_domain) }}
 myorigin = $mydomain
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix.mynetworks|d([])|join(' ') }}
-mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost {{ postfix.mydestination|d([])|join(' ') }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix.mynetworks|join(' ') }}
+mydestination = {{ inventory_hostname_short }} {{ inventory_hostname }} localhost {{ postfix.mydestination|join(' ') }}
 
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 
-relayhost = {{ postfix.relayhost|d('') }}
-relay_domains = {{ postfix.relay_domains|d([])|join(', ') }}
-relay_transport = {{ postfix.relay_transport|d('smtp') }}
-sender_dependent_relayhost_maps = {{ postfix.sender_dependent_relayhost_maps|d('') }}
-virtual_alias_maps = {{ postfix.virtual_alias_maps|d('') }}
-virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|d([])|join(' ') }} 
+relayhost = {{ postfix.relayhost }}
+relay_domains = {{ postfix.relay_domains|join(', ') }}
+relay_transport = {{ postfix.relay_transport }}
+sender_dependent_relayhost_maps = {{ postfix.sender_dependent_relayhost_maps }}
+virtual_alias_maps = {{ postfix.virtual_alias_maps }}
+virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }} 
 
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
 
-message_size_limit = {{ postfix.message_size_limit|d('20480000') }}
+message_size_limit = {{ postfix.message_size_limit }}
 
 {% if "virtual_transport" in postfix and postfix.virtual_transport == "dovecot" %}
 smtpd_sasl_type = dovecot
@@ -68,7 +71,7 @@ virtual_transport = dovecot
 
 # opendkim
 
-{% if postfix.enable_opendkim|d(false) %}
+{% if postfix.enable_opendkim %}
 
 milter_protocol = 6
 milter_default_action = accept