diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index aa817086..7558afd5 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -10,6 +10,10 @@
   tags:
   - dovecot
 
+- name: Generate Diffie-Hellman parameters with the default size (4096 bits)
+    openssl_dhparam:
+      path: /etc/ssl/dhparams.pem
+
 - name: disable pam auth
   replace:
     dest: /etc/dovecot/conf.d/10-auth.conf
diff --git a/dovecot/templates/z-evolinux-defaults.conf.j2 b/dovecot/templates/z-evolinux-defaults.conf.j2
index 2c067b99..ab74ec0d 100644
--- a/dovecot/templates/z-evolinux-defaults.conf.j2
+++ b/dovecot/templates/z-evolinux-defaults.conf.j2
@@ -38,9 +38,9 @@ mail_max_userip_connections = 42
 # SSL/TLS
 ssl = yes
 ssl_prefer_server_ciphers = yes
-ssl_dh_parameters_length = 2048
+ssl_dh=</etc/ssl/dhparam.pem
 ssl_options = no_compression no_ticket
-ssl_protocols = !TLSv1 !TLSv1.1
+ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
 ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key