diff --git a/templates/postfix/main.cf b/templates/postfix/main.cf
index 19893f4..5b75e09 100644
--- a/templates/postfix/main.cf
+++ b/templates/postfix/main.cf
@@ -23,10 +23,9 @@ queue_run_delay = 5m
 ## TLS settings
 ###
 
-tls_preempt_cipherlist = yes
+tls_preempt_cipherlist = no
 tls_ssl_options = NO_COMPRESSION
-tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
-
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 ### Outbound SMTP connections (Postfix as sender)
 
@@ -45,8 +44,10 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 
 ### Inbound SMTP connections
 smtpd_tls_security_level = may
-smtpd_tls_protocols = !SSLv2, !SSLv3
-smtpd_tls_ciphers = high
+smtpd_tls_auth_only = yes
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 
 smtpd_tls_key_file = /etc/dehydrated/certs/{{ mailserver_cert_domains.split(' ')[0] }}/privkey.pem