diff --git a/roles/dovecot/meta/main.yml b/roles/dovecot/meta/main.yml
new file mode 100644
index 0000000..3ae915f
--- /dev/null
+++ b/roles/dovecot/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: dhparams}
diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2
index 00be973..730072b 100644
--- a/roles/dovecot/templates/local.conf.j2
+++ b/roles/dovecot/templates/local.conf.j2
@@ -1,8 +1,15 @@
-# ssl settings
+# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.8&config=intermediate&openssl=1.1.1g&guideline=5.6
 ssl = required
+
 ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt
 ssl_key = <{{ tls_private }}/{{ mail_server }}.key
 
+ssl_dh = <{{ tls_certs }}/ffdhe3072.pem
+
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
+
 # kerberos
 auth_gssapi_hostname = "$ALL"
 auth_krb5_keytab = /etc/dovecot/dovecot.keytab