diff --git a/docs/roles/debian/apache.md b/docs/roles/debian/apache.md
index 1cf82d612..c39087ef8 100644
--- a/docs/roles/debian/apache.md
+++ b/docs/roles/debian/apache.md
@@ -55,16 +55,18 @@ apache:
         handling: selfsigned
         # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing:
         # handling: letsencrypt
-        # http_01_port: 5000
+        # http_01_port: 80
         # autorenew: true
         # email: sysadm@codeenigma.com
-        # services: []
+        # services:
+        #   - apache2
         # web_server: standalone
         # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n"
         # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew"
         # reload_command: restart
         # reload:
-        #   - apache
+        #   - apache2
+        # on_calendar: "Mon *-*-* 04:00:00"
       is_default: true
       basic_auth:
         auth_enabled: false
diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md
index 0abe2aa0b..e63f3b70a 100644
--- a/docs/roles/debian/postfix.md
+++ b/docs/roles/debian/postfix.md
@@ -1,5 +1,7 @@
 # Postfix
-Installs and configures Postfix for sending mail. Mail sending is disabled by default.
+Installs and configures Postfix for sending mail. Mail sending is disabled by default using transport maps.
+
+Full TLS SMTP support is optional by enabling SSL.
 
 <!--TOC-->
 <!--ENDTOC-->
@@ -36,6 +38,13 @@ postfix:
   aliases: []
     #- user: root
     #  alias: admin@example.com
+  # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere
+  ssl:
+    enabled: false
+    smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem
+    smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem
+    smtp_tls_CApath: /etc/ssl/certs
+    smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt
 
 ```
 
diff --git a/roles/debian/apache/README.md b/roles/debian/apache/README.md
index 1cf82d612..c39087ef8 100644
--- a/roles/debian/apache/README.md
+++ b/roles/debian/apache/README.md
@@ -55,16 +55,18 @@ apache:
         handling: selfsigned
         # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing:
         # handling: letsencrypt
-        # http_01_port: 5000
+        # http_01_port: 80
         # autorenew: true
         # email: sysadm@codeenigma.com
-        # services: []
+        # services:
+        #   - apache2
         # web_server: standalone
         # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n"
         # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew"
         # reload_command: restart
         # reload:
-        #   - apache
+        #   - apache2
+        # on_calendar: "Mon *-*-* 04:00:00"
       is_default: true
       basic_auth:
         auth_enabled: false
diff --git a/roles/debian/apache/defaults/main.yml b/roles/debian/apache/defaults/main.yml
index e08cb15b4..0b187f183 100644
--- a/roles/debian/apache/defaults/main.yml
+++ b/roles/debian/apache/defaults/main.yml
@@ -45,16 +45,18 @@ apache:
         handling: selfsigned
         # Sample LetsEncrypt config, because include_role will not merge defaults these all need providing:
         # handling: letsencrypt
-        # http_01_port: 5000
+        # http_01_port: 80
         # autorenew: true
         # email: sysadm@codeenigma.com
-        # services: []
+        # services:
+        #   - apache2
         # web_server: standalone
         # certbot_register_command: "/usr/bin/certbot certonly --agree-tos --preferred-challenges http -n"
         # certbot_renew_command: "/usr/bin/certbot certonly --agree-tos --force-renew"
         # reload_command: restart
         # reload:
-        #   - apache
+        #   - apache2
+        # on_calendar: "Mon *-*-* 04:00:00"
       is_default: true
       basic_auth:
         auth_enabled: false
diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md
index 0abe2aa0b..e63f3b70a 100644
--- a/roles/debian/postfix/README.md
+++ b/roles/debian/postfix/README.md
@@ -1,5 +1,7 @@
 # Postfix
-Installs and configures Postfix for sending mail. Mail sending is disabled by default.
+Installs and configures Postfix for sending mail. Mail sending is disabled by default using transport maps.
+
+Full TLS SMTP support is optional by enabling SSL.
 
 <!--TOC-->
 <!--ENDTOC-->
@@ -36,6 +38,13 @@ postfix:
   aliases: []
     #- user: root
     #  alias: admin@example.com
+  # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere
+  ssl:
+    enabled: false
+    smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem
+    smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem
+    smtp_tls_CApath: /etc/ssl/certs
+    smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt
 
 ```
 
diff --git a/roles/debian/postfix/defaults/main.yml b/roles/debian/postfix/defaults/main.yml
index e0f09c009..10e373b83 100644
--- a/roles/debian/postfix/defaults/main.yml
+++ b/roles/debian/postfix/defaults/main.yml
@@ -27,3 +27,10 @@ postfix:
   aliases: []
     #- user: root
     #  alias: admin@example.com
+  # Basic optional SSL handling - does not currently use the SSL role, as it is likely being handled elsewhere
+  ssl:
+    enabled: false
+    smtp_tls_cert_file: "" # full path to certificate, e.g. /etc/letsencrypt/live/acme.com/fullchain.pem
+    smtp_tls_key_file: "" # full path to key, e.g. /etc/letsencrypt/live/acme.com/privkey.pem
+    smtp_tls_CApath: /etc/ssl/certs
+    smtp_tls_CAfile: /etc/ssl/certs/ca-certificates.crt
diff --git a/roles/debian/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2
index d4dfa9853..4021d5b45 100644
--- a/roles/debian/postfix/templates/main.cf.j2
+++ b/roles/debian/postfix/templates/main.cf.j2
@@ -37,9 +37,20 @@ non_smtpd_milters = inet:localhost:8891
 smtp_sasl_auth_enable = yes
 smtp_sasl_security_options = noanonymous
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+{% endif %}
+{% if postfix.use_ses or postfix.ssl.enabled %}
 smtp_use_tls = yes
 smtp_tls_note_starttls_offer = yes
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_tls_CApath = {{ postix.ssl.smtp_tls_CApath }}
+smtp_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }}
+{% endif %}
+{% if postfix.ssl.enabled %}
+smtp_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }}
+smtp_tls_key_file = {{ postix.ssl.smtp_tls_key_file }}
+smtpd_tls_cert_file = {{ postix.ssl.smtp_tls_cert_file }}
+smtpd_tls_key_file = {{ postix.ssl.smtp_tls_key_file }}
+smtpd_tls_CApath = {{ postix.ssl.smtp_tls_CApath }}
+smtpd_tls_CAfile = {{ postix.ssl.smtp_tls_CAfile }}
 {% endif %}
 {% if (is_local is defined) and is_local %}
 # Force all mail to ce-dev user.