diff --git a/CHANGELOG.md b/CHANGELOG.md
index 12f8ffcc..dcdcff58 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,8 @@ The **patch** part changes incrementally at each release.
 
 ### Changed
 
+* dovecot: stronger TLS configuration
+
 ### Fixed
 * apache: cleaner way to overwrite the server status suffix
 * packweb-apache: don't regenerate phpMyAdmin suffix each time
diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2
index 787b9d01..2c067b99 100644
--- a/dovecot/templates/z-evolinux-defaults.conf.j2
+++ b/dovecot/templates/z-evolinux-defaults.conf.j2
@@ -37,5 +37,10 @@ mail_max_userip_connections = 42
 
 # SSL/TLS
 ssl = yes
+ssl_prefer_server_ciphers = yes
+ssl_dh_parameters_length = 2048
+ssl_options = no_compression no_ticket
+ssl_protocols = !TLSv1 !TLSv1.1
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
 ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key