diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index cc3e630575bcc86da0455df399bb7437c583a05b..73223bc7ad3cf609064972447b335be3635d2271 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -496,9 +496,9 @@ The role implements the following:
 Prosody is configured as follows:
 
 * Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,
-  version, uptime, time, ping, pep, register, admin_adhoc, announce.
+  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.
 * Self-registration is not allowed.
-* TLS is configured.
+* TLS is configured. Legacy TLS is available on port 5223.
 * Client-to-server communication requires encryption (TLS).
 * Authentication is done via LDAP. For setting the LDAP TLS truststore, see
   :ref:`LDAP Client <ldap_client>`.
diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2
index f5851d37f5eeef538e4cd9e0edd372b42d9d2e5f..3ae1d3a8f24f2c731a9af60e5c74a2deda16dd45 100644
--- a/roles/prosody/templates/prosody.cfg.lua.j2
+++ b/roles/prosody/templates/prosody.cfg.lua.j2
@@ -32,6 +32,7 @@ modules_enabled = {
 
   -- Other specific functionality
     "announce"; -- Send announcement to all online users
+    "legacyauth"; -- Allow legacy authentication and SSL
 };
 
 -- Disable account creation by default, for security
@@ -45,6 +46,9 @@ ssl = {
   certificate = "{{ prosody_tls_certificate }}";
 }
 
+-- Ports on which to have direct TLS/SSL.
+legacy_ssl_ports = { 5223 }
+
 -- Force clients to use encrypted connection.
 c2s_require_encryption = true