I recommend that you also support implicit TLS for both client-to-server and server-to-server connections, instead of just STARTTLS. That'd be the "c2s_direct_tls_ports" and "s2s_direct_tls_ports" directives, on port 5223 and 5270 respectively. These should go into your SRV records, too. Also consider enabling SASL2.