diff --git a/defaults/main.yml b/defaults/main.yml
index 4d05b5ba..86b57fb9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -86,6 +86,9 @@ rabbitmq_management_rates_mode: basic
 # Precompile RabbitMQ with HiPE
 rabbitmq_hipe_compile: False
 
+# Disable non-TLS listeners
+rabbitmq_disable_non_tls_listeners: False
+
 # RabbitMQ policies
 # Used to tune performance characteristics of OpenStack messaging
 #
diff --git a/releasenotes/notes/disable_non_tls_listeners-ef9c20d70f820a69.yaml b/releasenotes/notes/disable_non_tls_listeners-ef9c20d70f820a69.yaml
new file mode 100644
index 00000000..108cd446
--- /dev/null
+++ b/releasenotes/notes/disable_non_tls_listeners-ef9c20d70f820a69.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - The ``rabbitmq_server`` role now supports disabling listeners that do not
+    use TLS. Deployers can override the ``rabbitmq_disable_non_tls_listeners``
+    variable, setting a value of ``True`` if they wish to enable this feature.
diff --git a/templates/rabbitmq.config.j2 b/templates/rabbitmq.config.j2
index 0f7c98f0..63fe73f1 100644
--- a/templates/rabbitmq.config.j2
+++ b/templates/rabbitmq.config.j2
@@ -1,6 +1,7 @@
 [
   {rabbit, [
     {loopback_users, []},
+    {% if rabbitmq_disable_non_tls_listeners %}{tcp_listeners,[]},{% endif %}
     {ssl_listeners, [5671]},
     {collect_statistics_interval, {{ rabbitmq_collect_statistics_interval }} },
     {ssl_options, [{certfile,"{{ rabbitmq_ssl_cert }}"},