diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6503c48..680ce59 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## 0.2.41
+
+* added postfix settings:
+  - **smtp_tls_mandatory_protocols**
+  - **smtp_tls_ca_path** for **smtp_tls_CApath**
+
 ## 0.2.40
 
 * Added master.cf options for **RHEL 8**
diff --git a/manifests/init.pp b/manifests/init.pp
index 92f4599..5aa2713 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -80,6 +80,8 @@
                 $smtpd_sasl_auth_enable              = false,
                 $smtpd_use_tls                       = false,
                 $smtpd_tls_protocols                 = [ '!SSLv2', '!SSLv3' ],
+                $smtp_tls_mandatory_protocols        = [],
+                $smtp_tls_ca_path                    = undef,
                 $smtp_use_tls                        = false,
                 $smtp_tls_exclude_ciphers            = [],
                 $smtpd_tls_mandatory_ciphers         = undef,
diff --git a/metadata.json b/metadata.json
index 6a87d57..76ee26b 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "eyp-postfix",
-  "version": "0.2.40",
+  "version": "0.2.41",
   "author": "eyp",
   "summary": "postfix management - relay or multidomain mailserver",
   "license": "Apache-2.0",
diff --git a/templates/main.cf.erb b/templates/main.cf.erb
index 4f7344f..7b72f55 100644
--- a/templates/main.cf.erb
+++ b/templates/main.cf.erb
@@ -814,6 +814,14 @@ smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.pem
 smtpd_tls_key_file=/etc/pki/tls/private/postfix-key.key
 <%- end -%>
 
+<% if @smtp_tls_mandatory_protocols.any? -%>
+smtp_tls_mandatory_protocols = <%= @smtp_tls_mandatory_protocols.join(',') %>
+<% end -%>
+
+<% if defined?(@smtp_tls_ca_path) -%>
+smtp_tls_CApath = <%= @smtp_tls_ca_path %>
+<% end -%>
+
 <%- if defined?(@biff) -%>
 biff = <%= scope.function_bool2yesno([@biff]) %>
 <%- end -%>