diff --git a/ConfigParser.py b/ConfigParser.py
index 206132293..541ff3f30 100755
--- a/ConfigParser.py
+++ b/ConfigParser.py
@@ -35,6 +35,8 @@ class Config:
   def __init__(self, cfg_file_name = "config.json"):
     f = open(cfg_file_name)
     self.cfg = json.loads(f.read())
+    self.tls_policies = {}
+    self.mx_map = {}
     for atr, val in self.cfg.items():
       # Verify each attribute of the structure
       if atr.startswith("comment"):
@@ -47,21 +49,39 @@ class Config:
       elif atr == "expires":
         self.expires = parse_timestamp(val)
       elif atr == "tls-policies":
-        self.tls_policies = {}
         for domain,policies in self.check_tls_policy_domains(val):
           if type(policies) != dict:
             raise TypeError, domain + "'s policies should be a dict: " + `policies`
           self.tls_policies[domain] = {} # being here enforces TLS at all
-          for policy, value in policies.items():
-            if policy == "min-tls-version":
+          for policy, v in policies.items():
+            value = lower(str(v))
+            if policy == "require-tls":
+              if value in ("true", "1", "yes"):
+                self.tls_policies[domain]["required"] = True
+              elif value in ("false", "0", "no"):
+                self.tls_policies[domain]["required"] = False
+              else:
+                raise ValueError, "Unknown require-tls value " + `value`
+            elif policy == "min-tls-version":
               reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
               if not value in reasonable:
                 raise ValueError, "Not a valid TLS version string: " + `value`
               self.tls_policies[domain]["min-tls-version"] = str(value)
+            elif policy == "enforce-mode":
+              if value == "enforce":
+                self.tls_policies[domain]["enforce"] = True
+              elif value == "log-only":
+                self.tls_policies[domain]["enforce"] = False
+              else:
+                raise ValueError, "Not a known enoforcement policy " + `value`
       elif atr == "acceptable-mxs":
-        pass
+        for domain, mxball in acceptable_mx:
+          pass
       else:
         sys.stderr.write("Uknown attribute: " + `atr` + "\n")
+    # XXX is it ever permissible to have a domain with an acceptable-mx 
+    # that does not point to a TLS security policy?  If not, check/warn/fail
+    # here
     print self.tls_policies
 
   def check_tls_policy_domains(self, val):
diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py
index 875624e57..1d322c8e9 100755
--- a/MTAConfigGenerator.py
+++ b/MTAConfigGenerator.py
@@ -78,7 +78,7 @@ class PostfixConfigGenerator(MTAConfigGenerator):
     # Check we're currently accepting inbound STARTTLS sensibly
     self.ensure_cf_var("smtpd_use_tls", "yes", [])
     # Ideally we use it opportunistically in the outbound direction
-    self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt"])
+    self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"])
     # Maximum verbosity lets us collect failure information
     self.ensure_cf_var("smtp_tls_loglevel", "1", [])
     # Inject a reference to our per-domain policy map