--- cf/README	2015-06-17 09:51:58.000000000 -0700
+++ cf/README	2015-07-22 20:42:14.000000000 -0700
@@ -1603,6 +1603,24 @@
 		has been compiled with the options MAP_REGEX and
 		DNSMAP.
 
+tls_failures	If enabled, the MTA will stop using STARTTLS on
+		outbound connections after a certain number of previous
+		failures with either PROTOCOL or SOFTWARE error. An
+		optional numeric value indicates the number of attempts
+		after which the MTA will give up trying STARTTLS:
+
+		FEATURE(`tls_failures', `8')
+
+		Once ${ntries} exceeds the value of 8, and if the
+		previous delivery ended up with a PROTOCOL or
+		SOFTWARE TLS errors, then the MTA will not use
+		STARTTLS. Default value for the parameter is 5.
+
+		Note: if you enforce TLS for the recipient or
+		destination then it is likely the message will
+		never be delivered as the TLS enforced criterias
+		are unlikely to be ever verified.
+
 +-------+
 | HACKS |
 +-------+
