diff --git a/config/postfix/APKBUILD b/config/postfix/APKBUILD
index d6af560..85bad0d 100644
--- a/config/postfix/APKBUILD
+++ b/config/postfix/APKBUILD
@@ -3,7 +3,7 @@
 
 . ../APKBUILD-config.template
 
-pkgrel=0
+pkgrel=3
 depends="postfix-pgsql redxen-secret-letsencrypt-chain redxen-secret-letsencrypt-private"
 
 _rx_postfix_pgsql_source="
@@ -41,7 +41,7 @@ package() {
 
 sha512sums="
 1cb4072b03f3e9d79b15a082ccad99fc005129b56fc42c467713520f89feef298082637fbfaa01a04c2a1b6e69a254d9018adccaf9d98a4532f067214a4035f4  master.cf
-2db1a8123dd05326b8fa36e32fee1db974a811565df621002e48a1bc9a08e2995cf126933345d38c9f158c7855f8e82a2b09b9e1992046ab7c7bc7de0d077f6b  main.cf
+d962d8989397b8615142c878908f9b5cbdb8c56308cef8c05a91f4ab674a3697fb62342f00c4c025041cfd223efd2a6f5dc15487268f3374e27b28651cbe544c  main.cf
 e2e2073b064a921a9eeed028e17617bcd2d1235517d908b4daadef45eb4cbb8686023c532d7938a779021cdd9548afe97f59d4c3232e7e01dca229e37e8c63ff  secret
 51595b478be5cb66c9cb92963ba82f3851a5e912a1c427330ebd1a5abedd3e763467448e83f5c58f08dc51e70d420d0db6026eccc9955e3bb58f52f3773a4c85  pgsql-aliases.cf
 df25ccb7d6d27fba0cf4c75b440b81fc80e006583ff56f7a78fb8ddc361a4e63a0d80e92ccaf34d72e59a7b3babf8ca893c7b055ae0f9d75c04fc9b40dd00608  pgsql-users.cf
diff --git a/config/postfix/main.cf b/config/postfix/main.cf
index 89e8797..d486927 100644
--- a/config/postfix/main.cf
+++ b/config/postfix/main.cf
@@ -35,7 +35,7 @@ smtpd_delay_reject = yes
 
 # SMTP behaviour
 smtp_tls_CApath = /etc/ssl/certs
-smtp_tls_security_level = may
+smtp_tls_security_level = dane
 smtp_tls_note_starttls_offer = yes
 
 smtpd_use_tls = yes
@@ -44,20 +44,30 @@ smtpd_tls_key_file = /etc/redxen/letsencrypt/private.key
 smtpd_tls_security_level = may
 smtpd_tls_protocols = !SSLv2, !SSLv3
 
+smtp_dns_support_level = dnssec
+smtp_host_lookup = dns
+smtp_tls_loglevel = 1
+
+# Wait up to 30 seconds before delivering a reply regarding address verification
+# This helps with DANE verification
+address_verify_poll_count = ${stress?1}${stress:6}
+address_verify_poll_delay = 5s
+
 # Restrictions
+smtpd_helo_restrictions      = reject_invalid_helo_hostname
 smtpd_sender_restrictions    = reject_known_sender_login_mismatch,
                                permit_sasl_authenticated,
-                               check_sender_access inline:{{$myorigin=553 not logged in}},
+                               reject_unknown_sender_domain,
                                reject_invalid_helo_hostname,
-                               reject_unknown_sender_domain
+                               reject_non_fqdn_sender
 smtpd_relay_restrictions     = permit_sasl_authenticated,
                                reject_unauth_destination
-smtpd_recipient_restrictions = permit_sasl_authenticated,
+smtpd_recipient_restrictions = reject_unauth_pipelining,
                                reject_non_fqdn_recipient,
                                reject_unknown_recipient_domain,
-                               reject_unverified_recipient
+                               reject_unverified_recipient,
+                               permit_sasl_authenticated
 smtpd_data_restrictions      = reject_unauth_pipelining
-smtpd_helo_restrictions      = reject_invalid_helo_hostname
 
 # Dovecot auth
 smtpd_sasl_auth_enable = yes