diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
index 042f144430ecabae944a5bcbacd3375c1be06677..e9b246b7368933f217e2f9cd1afaeb1d5ca3578a 100644
--- a/docs/releasenotes.rst
+++ b/docs/releasenotes.rst
@@ -22,6 +22,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11
   * The role no longer officially supports older versions of TLS
     (TLSv1.1 and lower).
 
+* ``mail_server`` role
+
+  * The role no longer officially supports older versions of TLS
+    (TLSv1.1 and lower).
+
 * ``web_server`` role
 
   * The role no longer officially supports older versions of TLS
@@ -39,6 +44,11 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
     alongside the mandatory ciphers.
 
+* ``mail_server`` role
+
+  * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
+    alongside the mandatory ciphers.
+
 * ``web_server`` role
 
   * TLSv1.3 is now enabled by default (in addition to TLSv1.2),
diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index ca20f083cedd3eabdd6bdc97ca671e16ca8c7504..0898c344e1f6522523bb659e975a94bc3e7a090b 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1169,19 +1169,27 @@ Parameters
 **mail_server_minimum_tls_protocol** (string, optional, ``"TLSv1.2"``)
   Minimum version of TLS protocol to allow when connecting to SMTP
   submission port or IMAP. Value should be compatible with Dovecot's
-  ``ssl_protocols`` configuration option.
+  ``ssl_protocols`` and ``smtpd_tls_mandatory_protocols``
+  configuration options. Older versions of TLS protocol (TLSv1.1 and
+  lower) are not fully supported by the role, and additional
+  configuration is required on the server to weaken the OpenSSL
+  security policies.
 
 **mail_server_smtp_additional_configuration** (string, optional, ``""``))
   Additional configuration directives to include in SMTP server main
   configuration file. Directives must be specifically compatible with
   Postfix, and are treated verbatim (multi-line string will suffice).
 
-**mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
-  TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
-  should be an OpenSSL-compatible cipher specification. Value should be
-  compatible with Postfix configuration option ``tls_high_cipherlist`` and
-  Dovecot configuration option ``ssl_cipher_list``. Default value allows only
-  TLSv1.2 and strong PFS ciphers.
+**mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)
+  TLS ciphers to enable on the mail server (for IMAP and SMTP
+  submission). This should be an OpenSSL-compatible cipher
+  specification. Value should be compatible with Postfix configuration
+  option ``tls_high_cipherlist`` and Dovecot configuration option
+  ``ssl_cipher_list``. Default value allows TLSv1.2 with strong PFS
+  ciphers and RSA private keys. Ciphers listed for use with TLSv1.3
+  (``TLS_*`` ones) are mandated by relevant standards, and cannot be
+  disabled if TLSv1.3 is enabled. The TLSv1.3 ciphers are included in
+  this list for completeness' sake.
 
 **mail_user** (string, optional, ``vmail``)
   Name of the user that owns all the mail files.
diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index 01f6ff4a549772216490b3a342d7d45dd7a75416..f7d166c807aa89b062c3995acefd7127370b0052 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -9,6 +9,9 @@ smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
 mail_server_minimum_tls_protocol: "TLSv1.2"
+
+# TLS_* ciphers are mandated by the TLSv1.3-related standards and
+# cannot be disabled when TLSv1.3 is enabled on the server.
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ -16,6 +19,9 @@ DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
+TLS_AES_128_GCM_SHA256:\
+TLS_AES_256_GCM_SHA384:\
+TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""
diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
index e0620c59b478447430d77838cb99e13f2d3d62af..b472237f5d066940b900d80a9d4f77fedef568a5 100644
--- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
@@ -5,10 +5,15 @@ mail_ldap_url: ldap://ldap-server/
 mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
-mail_server_minimum_tls_protocol: TLSv1.1
-mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
-DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
-ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
+mail_server_minimum_tls_protocol: TLSv1.3
+mail_server_tls_ciphers: "\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-RSA-CHACHA20-POLY1305:\
+TLS_AES_128_GCM_SHA256:\
+TLS_AES_256_GCM_SHA384:\
+TLS_CHACHA20_POLY1305_SHA256:\
+!aNULL:!MD5:!EXPORT"
 mail_user: virtmail
 mail_user_uid: 5000
 mail_user_gid: 5000
diff --git a/roles/mail_server/molecule/default/tests/test_default.py b/roles/mail_server/molecule/default/tests/test_default.py
index 62017eb87d2569ebb20eb000a10901367cc2407f..2a071008214d113fce364cf7e2e1e251d05613a8 100644
--- a/roles/mail_server/molecule/default/tests/test_default.py
+++ b/roles/mail_server/molecule/default/tests/test_default.py
@@ -442,17 +442,6 @@ def test_imap_server_dh_parameter_file(host):
         assert "DH Parameters: (2048 bit)" in dhparam_info.stdout
 
 
-def test_imap_server_uses_correct_dh_parameters(host):
-    """
-    Tests if the IMAP server uses correct Diffie-Hellman parameters.
-    """
-
-    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "
-                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")
-
-    assert " - Using prime: 2048 bits" in connection.stdout
-
-
 def test_imap_and_smtp_tls_files(host):
     """
     Tests if IMAP and SMTP TLS private keys and certificates have been
diff --git a/roles/mail_server/molecule/default/tests/test_mandatory.py b/roles/mail_server/molecule/default/tests/test_mandatory.py
index d17a300242066114f492ea72ca696d1563440153..a78226581dae8fb94d72649053136a4d6017d993 100644
--- a/roles/mail_server/molecule/default/tests/test_mandatory.py
+++ b/roles/mail_server/molecule/default/tests/test_mandatory.py
@@ -134,6 +134,17 @@ def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     assert tls_ciphers == expected_tls_ciphers
 
 
+def test_imap_server_uses_correct_dh_parameters(host):
+    """
+    Tests if the IMAP server uses correct Diffie-Hellman parameters.
+    """
+
+    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=imap --port 143 "
+                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")
+
+    assert " - Using prime: 2048 bits" in connection.stdout
+
+
 def test_dovecot_postmaster(host):
     """
     Tests if Dovecot postmaster has been correctly configured.
diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py
index 36e2728619eecc877e6f55a3f514fb314ad19488..56059f9056bf582bcc1a339ed81c7a110c71b208 100644
--- a/roles/mail_server/molecule/default/tests/test_optional.py
+++ b/roles/mail_server/molecule/default/tests/test_optional.py
@@ -125,20 +125,11 @@ def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     IMAP and SMTP submission.
     """
 
-    expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
+    expected_tls_versions = ["TLSv1.3"]
     expected_tls_ciphers = [
         "TLS_AKE_WITH_AES_128_GCM_SHA256",
         "TLS_AKE_WITH_AES_256_GCM_SHA384",
         "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
-        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
     ]
 
     # Run the nmap scanner against the server, and fetch the results.