tls_certificate = CONF_sysconf_dir/server.cert
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = *
-tls_dhparam = CONF_ca_dir/dh-param.pem
+tls_dhparam = CONF_ca_dir/dh-param-2048.pem
tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
{match_ip {$sender_host_address}{+trusted}}} \
{CONF_good_ciphers} \