diff --git a/milter/entrypoint.sh b/milter/entrypoint.sh
index 8fed8f3..f2a3252 100644
--- a/milter/entrypoint.sh
+++ b/milter/entrypoint.sh
@@ -57,6 +57,16 @@ fi
 # Render postfix main.cf
 envsubst '$MYHOSTNAME $MYDOMAIN' < /opt/mx-box/postfix-main.cf.template > /etc/postfix/main.cf
 
+# Apply POSTFIX_CONF_* env vars as runtime overrides before any hardcoded
+# security settings, so TLS paths and mynetworks always take precedence.
+# e.g., POSTFIX_CONF_DEFAULT_PROCESS_LIMIT=300 → postconf -e "default_process_limit=300"
+for name in "${!POSTFIX_CONF_@}"; do
+    param="${name#POSTFIX_CONF_}"
+    param="${param,,}"
+    postconf -e "${param}=${!name}"
+    echo "postconf override: ${param}=${!name}"
+done
+
 # Propagate TLS_CERT/TLS_KEY into Postfix. The template hardcodes the default
 # self-signed paths so the no-env-set case keeps working unchanged; postconf
 # overrides them when a caller has configured custom paths (or after the