diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 88ab1607077d11e18c2882efd5efdb50fb2227db..e79608ab5f8d8fb7b9cfd10863127ebab6494529 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -449,8 +449,7 @@ destination machine.
 The role implements the following:
 
 * Deploys LDAP TLS private key and certificate.
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
-  older clients may have problems connecting.
+* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
@@ -655,8 +654,6 @@ The role implements the following:
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
-  older clients may have problems connecting.
 * Configures firewall to allow incoming connections to the XMPP server.
 
 Prosody is configured as follows:
@@ -665,6 +662,7 @@ Prosody is configured as follows:
   version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.
 * Self-registration is not allowed.
 * TLS is configured. Legacy TLS is available on port 5223.
+* TLS configuration is hardened, allowing only TLSv1.2 and PFS ciphers.
 * Client-to-server communication requires encryption (TLS).
 * Authentication is done via LDAP. For setting the LDAP TLS truststore, see
   :ref:`LDAP Client <ldap_client>`.
@@ -788,6 +786,8 @@ Deployed services are configured as follows:
 * Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``
   format.
 * TLS is required for user log-ins for both SMTP and IMAP.
+* TLS configuration is hardened for Dovecot, allowing only TLSv1.2 and PFS
+  ciphers.
 * RBL's are used for combating spam (if any is specified in configuration, see
   below).
 
@@ -1014,8 +1014,7 @@ The role implements the following:
 * Installs and configures nginx with a single, default vhost with a small static
   index page.
 * Deploys the HTTPS TLS private key and certificate (for default vhost).
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
-  older web browsers may have problems connecting.
+* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
 * Configures firewall to allow incoming connections to the web server.
 * Installs and configures virtualenv and virtualenvwrapper as a common base for
   Python apps.
diff --git a/roles/mail_server/templates/99-local.conf.j2 b/roles/mail_server/templates/99-local.conf.j2
index f52834b4a3371f2ef83a175107298061f0245b53..bc937a2212a174973e9c93044ca0c351a2c0d689 100644
--- a/roles/mail_server/templates/99-local.conf.j2
+++ b/roles/mail_server/templates/99-local.conf.j2
@@ -31,6 +31,8 @@ service auth {
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ imap_tls_certificate | basename }}
 ssl_key = </etc/ssl/private/{{ imap_tls_key | basename }}
+ssl_protocols = TLSv1.2
+ssl_cipher_list = DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
 ssl = required
 
 # Mail delivery.