diff --git a/CHANGELOG.md b/CHANGELOG.md
index 89b49e9..c976a6f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
+# 1.0.6
+
+- [docker](Makefile) Use alpine:3.21 (postfix:3.9.1 dovecot:2.3.21.1).
+
 # 1.0.5
 
-- [docker](Makefile) Use alpine:3.20 (postfix:3.9.0 dovecot:2.3.21).
+- [docker](Makefile) Use alpine:3.20 (postfix:3.9.0 dovecot:2.3.21.1).
 - [github](.github/workflows/testimage.yml) Now use Node.js 20 `actions/checkout@v4`.
 - [demo](demo) Fixed target `*-apk_list`.
 
diff --git a/Makefile b/Makefile
index 60e4d18..f54ff7f 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@
 
 -include    *.mk
 
-BLD_ARG  ?= --build-arg DIST=alpine --build-arg REL=3.20
+BLD_ARG  ?= --build-arg DIST=alpine --build-arg REL=3.21
 BLD_REPO ?= mlan/postfix
 BLD_VER  ?= latest
 BLD_TGT  ?= full
diff --git a/ROADMAP.md b/ROADMAP.md
index 00b88ca..2163624 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,5 +1,21 @@
 # Road map
 
+## Postfix configuration
+### TLS Forward Secrecy
+
+The built-in default Postfix FFDHE group is a 2048-bit group as of Postfix 3.1. You can optionally generate non-default Postfix SMTP server FFDHE parameters for possibly improved security against pre-computation attacks, but this is not necessary or recommended. Just leave "smtpd_tls_dh1024_param_file" at its default empty value. [TLS Forward Secrecy in Postfix](https://www.postfix.org/FORWARD_SECRECY_README.html)
+
+```sh
+/etc/postfix/main.cf: support for parameter "smtpd_tls_dh1024_param_file" will be removed; instead, do not specify (leave at default)
+```
+### Enable TLS
+
+Dont use `smtpd_use_tls` anymore. `smtpd_tls_security_level=may` is sufficient.
+
+```sh
+/etc/postfix/main.cf: support for parameter "smtpd_use_tls" will be removed; instead, specify "smtpd_tls_security_level"
+```
+
 ## PostSRSd
 
 Arrange optional configuration of the [PostSRSd](https://github.com/roehling/postsrsd) Sender Rewriting Scheme (SRS) via TCP-based lookup tables for Postfix.
@@ -17,4 +33,4 @@ Don't make DOCKER_ACME_SSL_DIR=/etc/ssl/acme persistent. We will remove all old
 Need to fix runit script for postfix. It does not kill all children.
 the reason is that we don't let `runsvdir` become pid=1 and `postfix startup-fg`
 checks for pid=1 and since it isn't start `master -s` instead of `exec master -i`
-, see `/usr/libexec/postfix/postfix-script`.
\ No newline at end of file
+, see `/usr/libexec/postfix/postfix-script`.
diff --git a/src/postfix/entry.d/10-postfix-common b/src/postfix/entry.d/10-postfix-common
index fd38b7b..616993d 100755
--- a/src/postfix/entry.d/10-postfix-common
+++ b/src/postfix/entry.d/10-postfix-common
@@ -313,7 +313,7 @@ postfix_activate_tls_cert() {
 	if ([ -n "$SMTPD_TLS_CERT_FILE" ] || [ -n "$SMTPD_TLS_ECCERT_FILE" ] || \
 		[ -n "$SMTPD_TLS_DCERT_FILE" ] || [ -n "$SMTPD_TLS_CHAIN_FILES" ]); then
 		dc_log 5 "[postfix] Activating incoming tls."
-		postconf -e smtpd_use_tls=yes
+		# postconf -e smtpd_use_tls=yes # use only smtpd_tls_security_level
 		postconf -e smtpd_tls_security_level=may
 		postconf -e smtpd_tls_auth_only=yes
 	fi