diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst
index 2ce40fce8bb397fd066bd07a69b0e8352eb0095c..5f5a898386a67da178934487b9ff54de5f61026a 100644
--- a/docs/releasenotes.rst
+++ b/docs/releasenotes.rst
@@ -42,6 +42,13 @@ Dropped support for Debian 10 (Buster).
     parameter expects a list of IPv4 and IPv6 addresses (or
     subnets). Resolvable names can no longer be specified.
 
+* ``mail_server`` role
+
+  * Parameter ``mail_server_tls_protocols`` has been dropped and
+    replaced with parameter ``mail_server_minimum_tls_protocol``. Full
+    list of TLS protocols can no longer be specified, only the minimum
+    one.
+
 * ``wsgi_website`` role
 
   * Dropped support for Python 2.7. Only Python 3 is supported now.
diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 1d15010a572c6143a63d58b0b665e25826b78163..2f184fd709029d6cdaf3981b5f5dff545b8e372f 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1165,17 +1165,16 @@ Parameters
   advertised as part of SMTP server capabilities (in response to the
   ``ehlo`` SMTP command).
 
+**mail_server_minimum_tls_protocol** (string, optional, ``"TLSv1.2"``)
+  Minimum version of TLS protocol to allow when connecting to SMTP
+  submission port or IMAP. Value should be compatible with Dovecot's
+  ``ssl_protocols`` configuration option.
+
 **mail_server_smtp_additional_configuration** (string, optional, ``""``))
   Additional configuration directives to include in SMTP server main
   configuration file. Directives must be specifically compatible with
   Postfix, and are treated verbatim (multi-line string will suffice).
 
-**mail_server_tls_protocols** (list, optional, ``[ "TLSv1.2" ]``)
-  List of TLS protocols the mail server should support. Each value specified
-  should be compatible with Postfix configuration option
-  ``smtpd_tls_mandatory_protocols`` and Dovecot configuration option
-  ``ssl_protocols``.
-
 **mail_server_tls_ciphers** (string, optional ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:!aNULL:!MD5:!EXPORT``)
   TLS ciphers to enable on the mail server (for IMAP and SMTP submission). This
   should be an OpenSSL-compatible cipher specification. Value should be
diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index 4fe2a2f55aa493bc0f8a8044e23c2417df0586cb..25b4b7a5cd31d9a31aa87d3fbcda893bb3d9bccc 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -8,8 +8,7 @@ mail_postmaster: "postmaster@{{ ansible_domain }}"
 smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
-mail_server_tls_protocols:
-  - "TLSv1.2"
+mail_server_minimum_tls_protocol: "TLSv1.2"
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ -20,3 +19,16 @@ ECDHE-RSA-CHACHA20-POLY1305:\
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""
+
+# Internal use only.
+
+# Map Postfix smtpd allowed protocols based on minimum protocol
+# specified (for use with submission port smtpd instance). A bit
+# repetative, but easy to understand.
+mail_server_smtpd_submission_protocols:
+  SSLv2: ["SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  SSLv3: ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  TLSv1: ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  TLSv1.1: ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  TLSv1.2: ["TLSv1.2", "TLSv1.3"]
+  TLSv1.3: ["TLSv1.3"]
diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
index debfa2481db1e838bdad7c44f5d712c8d64d042e..61f2866d22c853195c887f707ef4fb2ac3c37141 100644
--- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
@@ -5,9 +5,7 @@ mail_ldap_url: ldap://ldap-server/
 mail_ldap_tls_truststore: "{{ lookup('file', 'tests/data/x509/ca/chain-full.cert.pem') }}"
 mail_ldap_postfix_password: postfixpassword
 mail_ldap_dovecot_password: dovecotpassword
-mail_server_tls_protocols:
-  - TLSv1.2
-  - TLSv1.1
+mail_server_minimum_tls_protocol: TLSv1.1
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
diff --git a/roles/mail_server/molecule/default/tests/test_default.py b/roles/mail_server/molecule/default/tests/test_default.py
index 97169b411ccc2774362fb837d685f32a83e3eaa0..51d1855fdd64283fcdbb7e2883cd8b6a4fdc83ed 100644
--- a/roles/mail_server/molecule/default/tests/test_default.py
+++ b/roles/mail_server/molecule/default/tests/test_default.py
@@ -705,3 +705,17 @@ def test_smtp_default_port_tls_version_and_ciphers(host):
 
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers[distribution_release]
+
+
+def test_dovecot_warnings(host):
+    """
+    Tests if Dovecot is reporting any warnings.
+    """
+
+    with host.sudo():
+
+        # Use invocation ID to get service logs since last restart.
+        invocation_id = host.run("systemctl show -p InvocationID --value dovecot").stdout.strip()
+        invocation_logs = host.run("journalctl INVOCATION_ID=%s + _SYSTEMD_INVOCATION_ID=%s", invocation_id, invocation_id)
+
+        assert "doveconf: Warning" not in invocation_logs.stdout
diff --git a/roles/mail_server/templates/99-local.conf.j2 b/roles/mail_server/templates/99-local.conf.j2
index 0f91c09f199b9c05dfb8ef7c30cfc6efe1553431..e5178291718081b59771dbcc7acb132fa204936a 100644
--- a/roles/mail_server/templates/99-local.conf.j2
+++ b/roles/mail_server/templates/99-local.conf.j2
@@ -32,7 +32,7 @@ service auth {
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
 ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem
-ssl_protocols = {{ mail_server_tls_protocols | join(' ') }}
+ssl_min_protocol = {{ mail_server_minimum_tls_protocol }}
 ssl_cipher_list = {{ mail_server_tls_ciphers }}
 ssl = required
 
diff --git a/roles/mail_server/templates/master.cf.j2 b/roles/mail_server/templates/master.cf.j2
index 38f2bb33c5fff5a3b26bd3e824b8ba8e6829f3ed..94a9551c62e405ac1b30975a7fde5d93fd28b0ee 100644
--- a/roles/mail_server/templates/master.cf.j2
+++ b/roles/mail_server/templates/master.cf.j2
@@ -133,6 +133,6 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_tls_auth_only=yes
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-  -o smtpd_tls_mandatory_protocols={{ mail_server_tls_protocols | join(',') }}
+  -o smtpd_tls_mandatory_protocols={{ mail_server_smtpd_submission_protocols[mail_server_minimum_tls_protocol] | join(',') }}
   -o smtpd_tls_mandatory_ciphers=high
   -o tls_high_cipherlist={{ mail_server_tls_ciphers }}
diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml
index 68edcbf8f0ba9e75610fe8990e608bb159c5a8f4..d6a776d77b0f86b89e228c82b5e5328cc08cf5c5 100644
--- a/testsite/group_vars/mail.yml
+++ b/testsite/group_vars/mail.yml
@@ -32,9 +32,7 @@ smtp_allow_relay_from:
 
 imap_max_user_connections_per_ip: 50
 
-mail_server_tls_protocols:
-  - TLSv1.2
-  - TLSv1.1
+mail_server_minimum_tls_protocol: TLSv1.1
 
 mail_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\
 DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\