diff --git a/pkg/config/config.go b/pkg/config/config.go
index eb9713d0..e7e351b0 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -90,6 +90,7 @@ type SMTP struct {
 	TLSPrivKey          string        `default:"cert.key" desc:"X509 Private Key file for TLS Support"`
 	TLSCert             string        `default:"cert.crt" desc:"X509 Public Certificate file for TLS Support"`
 	Debug               bool          `ignored:"true"`
+	ForceTLS            bool          `default:"false" desc:"Listen for connections with TLS."`
 }
 
 // POP3 contains the POP3 server configuration.
diff --git a/pkg/server/smtp/handler.go b/pkg/server/smtp/handler.go
index 6b2e625e..f0aea40c 100644
--- a/pkg/server/smtp/handler.go
+++ b/pkg/server/smtp/handler.go
@@ -119,7 +119,7 @@ func NewSession(server *Server, id int, conn net.Conn, logger zerolog.Logger) *S
 	reader := bufio.NewReader(conn)
 	host, _, _ := net.SplitHostPort(conn.RemoteAddr().String())
 
-	return &Session{
+	session := &Session{
 		Server:     server,
 		id:         id,
 		conn:       conn,
@@ -131,6 +131,11 @@ func NewSession(server *Server, id int, conn net.Conn, logger zerolog.Logger) *S
 		debug:      server.config.Debug,
 		text:       textproto.NewConn(conn),
 	}
+	if server.config.ForceTLS {
+		session.tlsState = new(tls.ConnectionState)
+		*session.tlsState = conn.(*tls.Conn).ConnectionState()
+	}
+	return session
 }
 
 func (s *Session) String() string {
@@ -289,7 +294,7 @@ func (s *Session) greetHandler(cmd string, arg string) {
 		s.send("250-" + readyBanner)
 		s.send("250-8BITMIME")
 		s.send("250-AUTH PLAIN LOGIN")
-		if s.Server.config.TLSEnabled && s.Server.tlsConfig != nil && s.tlsState == nil {
+		if s.Server.config.TLSEnabled && !s.Server.config.ForceTLS && s.Server.tlsConfig != nil && s.tlsState == nil {
 			s.send("250-STARTTLS")
 		}
 		s.send(fmt.Sprintf("250 SIZE %v", s.config.MaxMessageBytes))
diff --git a/pkg/server/smtp/listener.go b/pkg/server/smtp/listener.go
index 5ce7a429..03e6416c 100644
--- a/pkg/server/smtp/listener.go
+++ b/pkg/server/smtp/listener.go
@@ -113,7 +113,11 @@ func (s *Server) Start(ctx context.Context, readyFunc func()) {
 		return
 	}
 	slog.Info().Str("addr", addr.String()).Msg("SMTP listening on tcp4")
-	s.listener, err = net.ListenTCP("tcp4", addr)
+	if s.config.ForceTLS {
+		s.listener, err = tls.Listen("tcp4", addr.String(), s.tlsConfig)
+	} else {
+		s.listener, err = net.ListenTCP("tcp4", addr)
+	}
 	if err != nil {
 		slog.Error().Err(err).Msg("Failed to start tcp4 listener")
 		s.notify <- err