Do not offer TLS. (This mitigation is not recommended.)
+For a attacking TLS client the following ACL snippet should work:
+
+ # to be prepended to your mail acl (the ACL referenced
+ # by the acl_smtp_mail main config option)
+ deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
+ deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
+
Fix
===