diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix
index eb88cdf..b7e54f3 100644
--- a/config/hosts/mail-2/postfix.nix
+++ b/config/hosts/mail-2/postfix.nix
@@ -15,6 +15,23 @@
       smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
       proxy_interfaces = 217.160.117.160
       relay_recipient_maps =
+      smtp_tls_ciphers = high
+      smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtp_tls_mandatory_ciphers = high
+      smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      smtpd_tls_auth_only = yes
+      smtpd_tls_ciphers = high
+      smtpd_tls_eecdh_grade = ultra
+      smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtpd_tls_loglevel = 1
+      smtpd_tls_mandatory_ciphers = high
+      smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+      smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+      tls_preempt_cipherlist = yes
+      tls_random_source = dev:/dev/urandom
     '';
   };
 }