diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index edb244c..375bfe8 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -298,9 +298,12 @@ in
         }
 
         mail_access_groups = ${vmailGroupName}
+
+        # https://ssl-config.mozilla.org/#server=dovecot&version=2.3.21&config=intermediate&openssl=3.4.1&guideline=5.7
         ssl = required
         ssl_min_protocol = TLSv1.2
         ssl_prefer_server_ciphers = no
+        ssl_curve_list = X25519:prime256v1:secp384r1
 
         service lmtp {
           unix_listener dovecot-lmtp {