service/email.md

@@ -238,7 +238,7 @@ You might already have another `security_level` configured for other
 reasons, especially if that host already delivers mail to the internet
 at large (for example: [dane](http://www.postfix.org/TLS_README.html#client_tls_dane) or [may](http://www.postfix.org/TLS_README.html#client_tls_may)). In that case, do make
 sure that mails are encrypted when talking to the `relayhost`, for
-example through a [`smtp_tls_policy_maps`](http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps). You want at least the
+example through a [`smtp_tls_policy_maps`](http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps) (see below). You want at least the
 `verify` (if you trust DNS to return the right MX records) or `secure`
 (if you don't). `dane` *can* work (for now) because we do support
 DNSSEC, but that might change in the future.
@@ -280,6 +280,18 @@ For debugging, you can make SMTP client sessions verbose in Postfix:
 
     smtp      unix  -       -       -       -       -       smtp -v
 
+To use a `tls_policy_map` for just the mails you're delivering via Tor's
+mail server (assuming you want to use security level `dane-only`,
+otherwise change it to `verify` or `secure` as described above), put the
+below into `/etc/postfix/tls_policy`:
+
+    submission.torproject.org:submission    dane-only
+
+Hash that file as well and use it in your config:
+
+    postmap /etc/postfix/tls_policy
+    postconf -e smtp_tls_policy_maps=hash:/etc/postfix/tls_policy
+
 `smtp_sasl_mechanism_filter` is also very handy for debugging. For
 example, you can try to force the authentication mechanism to
 `cram-md5` this way.