diff --git a/.env.dist b/.env.dist
index 8222f4d8..76606cda 100644
--- a/.env.dist
+++ b/.env.dist
@@ -261,6 +261,15 @@ SASLAUTHD_LDAP_SEARCH_BASE=
 # e.g. for openldap: `(&(uid=%U)(objectClass=person))`
 SASLAUTHD_LDAP_FILTER=
 
+# empty => no
+# yes => LDAP over TLS enabled for SASL
+# Must not be used together with SASLAUTHD_LDAP_SSL=1_
+SASLAUTHD_LDAP_START_TLS=
+
+# empty => no
+# yes => Require and verify server certificate
+SASLAUTHD_LDAP_TLS_CHECK_PEER=
+
 # empty => No sasl_passwd will be created
 # string => `/etc/postfix/sasl_passwd` will be created with the string as password
 SASL_PASSWD=
diff --git a/docker-compose.elk.yml.dist b/docker-compose.elk.yml.dist
index 4613ac86..c9e042f9 100644
--- a/docker-compose.elk.yml.dist
+++ b/docker-compose.elk.yml.dist
@@ -68,6 +68,8 @@ services:
     - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD}
     - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE}
     - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
+    - SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS}
+    - SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER}
     - SASL_PASSWD=${SASL_PASSWD}
     cap_add:
     - NET_ADMIN
diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist
index a1a17a19..5a6f84f1 100644
--- a/docker-compose.yml.dist
+++ b/docker-compose.yml.dist
@@ -68,6 +68,8 @@ services:
     - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD}
     - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE}
     - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
+    - SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS}
+    - SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER}
     - SASL_PASSWD=${SASL_PASSWD}
     - SRS_EXCLUDE_DOMAINS=${SRS_EXCLUDE_DOMAINS}
     - SRS_SECRET=${SRS_SECRET}
diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index 65953566..9f305edd 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -695,6 +695,8 @@ function _setup_saslauthd() {
 	[ -z "$SASLAUTHD_LDAP_SERVER" ] && SASLAUTHD_LDAP_SERVER=localhost
 	[ -z "$SASLAUTHD_LDAP_FILTER" ] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))'
 	([ -z "$SASLAUTHD_LDAP_SSL" ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://'
+	[ -z "$SASLAUTHD_LDAP_START_TLS" ] && SASLAUTHD_LDAP_START_TLS=no
+	[ -z "$SASLAUTHD_LDAP_TLS_CHECK_PEER" ] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no
 
 	if [ ! -f /etc/saslauthd.conf ]; then
 		notify 'inf' "Creating /etc/saslauthd.conf"
@@ -708,6 +710,9 @@ ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD}
 ldap_search_base: ${SASLAUTHD_LDAP_SEARCH_BASE}
 ldap_filter: ${SASLAUTHD_LDAP_FILTER}
 
+ldap_start_tls: $SASLAUTHD_LDAP_START_TLS
+ldap_tls_check_peer: $SASLAUTHD_LDAP_TLS_CHECK_PEER
+
 ldap_referrals: yes
 log_level: 10
 EOF