diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index edb244c..c06b478 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -182,6 +182,7 @@ in
       mailLocation = dovecotMaildir;
       sslServerCert = certificatePath;
       sslServerKey = keyPath;
+      enableDHE = lib.mkDefault false;
       enableLmtp = true;
       mailPlugins.globally.enable = lib.optionals cfg.fullTextSearch.enable [
         "fts"
@@ -298,9 +299,12 @@ in
         }
 
         mail_access_groups = ${vmailGroupName}
+
+        # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7
         ssl = required
         ssl_min_protocol = TLSv1.2
         ssl_prefer_server_ciphers = no
+        ssl_curve_list = X25519:prime256v1:secp384r1
 
         service lmtp {
           unix_listener dovecot-lmtp {
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 9c7568f..e45a725 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -243,11 +243,6 @@ in
         # Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
         lmtp_destination_recipient_limit = "1";
 
-        # Opportunistic DANE support
-        # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
-        smtp_dns_support_level = "dnssec";
-        smtp_tls_security_level = "dane";
-
         # sasl with dovecot
         smtpd_sasl_type = "dovecot";
         smtpd_sasl_path = "/run/dovecot2/auth";
@@ -269,40 +264,62 @@ in
           "check_policy_service unix:/run/dovecot2/quota-status"
         ];
 
-        # TLS settings, inspired by https://github.com/jeaye/nix-files
-        # Submission by mail clients is handled in submissionOptions
+        # TLS for incoming mail is optional
         smtpd_tls_security_level = "may";
 
-        # Disable obselete protocols
-        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        # But required for authentication attempts
+        smtpd_tls_auth_only = true;
 
-        smtp_tls_ciphers = "high";
+        # TLS versions supported for the SMTP server
+        smtpd_tls_protocols = ">=TLSv1.2";
+        smtpd_tls_mandatory_protocols = ">=TLSv1.2";
+
+        # Require ciphersuites that OpenSSL classifies as "High"
         smtpd_tls_ciphers = "high";
-        smtp_tls_mandatory_ciphers = "high";
         smtpd_tls_mandatory_ciphers = "high";
 
-        # Disable deprecated ciphers
-        smtpd_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
-        smtpd_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
-        smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
-        smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
+        # Exclude cipher suites with undesirable properties
+        smtpd_tls_exclude_ciphers = "eNULL, aNULL";
+        smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
+
+        # Opportunistic DANE support when delivering mail to other servers
+        # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
+        smtp_dns_support_level = "dnssec";
+        smtp_tls_security_level = "dane";
+
+        # TLS versions supported for the SMTP client
+        smtp_tls_protocols = ">=TLSv1.2";
+        smtp_tls_mandatory_protocols = ">=TLSv1.2";
+
+        # Require ciphersuites that OpenSSL classifies as "High"
+        smtp_tls_ciphers = "high";
+        smtp_tls_mandatory_ciphers = "high";
+
+        # Exclude ciphersuites with undesirable properties
+        smtp_tls_exclude_ciphers = "eNULL, aNULL";
+        smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
+
+        # Restrict and prioritize the following curves in the given order
+        # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.
+        # https://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves
+        # https://ssl-config.mozilla.org/#server=postfix&version=3.10&config=intermediate&openssl=3.4.1&guideline=5.7
+        tls_eecdh_auto_curves = [
+          "X25519"
+          "prime256v1"
+          "secp384r1"
+        ];
+
+        # Disable FFDHE on TLSv1.3 because it is slower than elliptic curves
+        # https://www.postfix.org/postconf.5.html#tls_ffdhe_auto_groups
+        tls_ffdhe_auto_groups = [ ];
 
         # As long as all cipher suites are considered safe, let the client use its preferred cipher
         tls_preempt_cipherlist = false;
 
-        # Allowing AUTH on a non encrypted connection poses a security risk
-        smtpd_tls_auth_only = true;
-
         # Log only a summary message on TLS handshake completion
         smtp_tls_loglevel = "1";
         smtpd_tls_loglevel = "1";
 
-        # Configure a non blocking source of randomness
-        tls_random_source = "dev:/dev/urandom";
-
         smtpd_milters = smtpdMilters;
         non_smtpd_milters = lib.mkIf cfg.dkimSigning [ "unix:/run/rspamd/rspamd-milter.sock" ];
         milter_protocol = "6";