diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index e29983a..edb3a11 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -340,8 +340,8 @@ in
         smtpd_tls_mandatory_ciphers = "high";
 
         # Exclude cipher suites with undesirable properties
-        smtpd_tls_exclude_ciphers = "eNULL, aNULL";
-        smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
+        smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
+        smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
 
         # Opportunistic DANE support when delivering mail to other servers
         # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
@@ -357,8 +357,8 @@ in
         smtp_tls_mandatory_ciphers = "high";
 
         # Exclude ciphersuites with undesirable properties
-        smtp_tls_exclude_ciphers = "eNULL, aNULL";
-        smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
+        smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
+        smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
 
         # Restrict and prioritize the following curves in the given order
         # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.