diff --git a/NEWS b/NEWS
index 82ea39ef2e0296ccbc83b9f215b883aded7a7482..8f947c8a6546a2b6a0f267609c8f7b0764b5e939 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,10 @@
 unreleased (207x-xx-xx)
 
+    [postfix] Add the parameter "enable_postfix_compat2" to the
+    base::postfix class to add the backwards compatibility option to
+    main.cf. Defaults to true so the class acts the same as it ever
+    did. [adamhl]
+
     [ssh] Remove the two options "RSAAuthentication" and
     "RhostsRSAAuthentication" that have been deprecated and are only used
     with SSH's protocol 1 (which we don't use anyway). See
diff --git a/manifests/postfix.pp b/manifests/postfix.pp
index 9944860164e0cf433ea4b918debaa17ba3b6011b..7e8cbb4e84eb43824f9a495fbf5caa09b72ea226 100644
--- a/manifests/postfix.pp
+++ b/manifests/postfix.pp
@@ -4,7 +4,17 @@
 
 # Standard Postfix class for outgoing servers.  There is no daemon listening
 # on SMTP port.  The outgoing mail will be masqueraded except root mail.
-class base::postfix {
+#
+# $enable_postfix_compat2: if true, will add the line
+#
+#    compatibility_level = 2
+#
+# to /etc/postfix/main.cf. For more information, see
+# http://www.postfix.org/COMPATIBILITY_README.html#turnoff
+
+class base::postfix (
+  $enable_postfix_compat2 = true,
+) {
   package { 'postfix': ensure => present }
 
   # The core service.  The init script appears to support status on all the
@@ -37,19 +47,30 @@ class base::postfix {
   file {
     '/etc/filter-syslog/postfix':
       source  => 'puppet:///modules/base/postfix/etc/filter-syslog/postfix';
-    '/etc/postfix/main.cf':
-      source  => $::lsbdistcodename ? {
-        # rhel5 only fix for prng_exch
-        'Tikanga' => 'puppet:///modules/base/postfix/etc/postfix/main.cf.tikanga',
-        default   => 'puppet:///modules/base/postfix/etc/postfix/main.cf',
-      },
-      notify  => Service['postfix'],
-      require => Package['postfix'];
     '/etc/postfix/master.cf':
       source  => "puppet:///modules/base/postfix/etc/postfix/master.cf.$mastercfsuffix",
       notify  => Service['postfix'],
       require => Package['postfix'];
   }
+
+  # main.cf
+  case $::lsbdistcodename {
+    'Tikanga': {
+      file { '/etc/postfix/main.cf':
+        source => 'puppet:///modules/base/postfix/etc/postfix/main.cf.tikanga',
+        notify  => Service['postfix'],
+        require => Package['postfix'],
+      }
+    }
+    default: {
+      file { '/etc/postfix/main.cf':
+        content => template('base/postfix/etc/postfix/main.cf.erb'),
+        notify  => Service['postfix'],
+        require => Package['postfix'],
+      }
+    }
+  }
+
   base::postfix::map {
     '/etc/postfix/recipients':
       ensure  => present;
diff --git a/files/postfix/etc/postfix/main.cf b/templates/postfix/etc/postfix/main.cf.erb
similarity index 73%
rename from files/postfix/etc/postfix/main.cf
rename to templates/postfix/etc/postfix/main.cf.erb
index a7a1228d705894850b83b42099ae607b4a80ccb0..cef03661dd62337a8a29fe38137cc8f07268f719 100644
--- a/files/postfix/etc/postfix/main.cf
+++ b/templates/postfix/etc/postfix/main.cf.erb
@@ -19,3 +19,9 @@ transport_maps           = hash:/etc/postfix/transport
 smtp_tls_loglevel       = 1
 smtp_use_tls            = yes
 smtp_tls_security_level = may
+
+<%- if (@enable_postfix_compat2) then -%>
+# Make postfix defaults act in the version 2 manner. Should add
+# appropriate defaults at some point so we can remove this directive.
+compatibility_level = 2
+<%- end -%>