Thanks for the reply. Option #1 is not always applicable. My instance of Xeams is used for filtering spam before relaying to the intended address, which may or may not be owned by my organization. It's used for a web hosting relay server. Each customer who hosts with me may host their email systems elsewhere, so their domain would not be part of my "owned" domains.

My understanding of STARTTLS is that the downstream server would host the SSL cert, not my Xeams instance. Can Xeams be configured with a cert for use with STARTTLS? And if yes, how to configure that?