diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index 4fe2a2f55aa493bc0f8a8044e23c2417df0586cb..25b4b7a5cd31d9a31aa87d3fbcda893bb3d9bccc 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -8,8 +8,7 @@ mail_postmaster: "postmaster@{{ ansible_domain }}"
 smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
-mail_server_tls_protocols:
-  - "TLSv1.2"
+mail_server_minimum_tls_protocol: "TLSv1.2"
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ -20,3 +19,16 @@ ECDHE-RSA-CHACHA20-POLY1305:\
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""
+
+# Internal use only.
+
+# Map Postfix smtpd allowed protocols based on minimum protocol
+# specified (for use with submission port smtpd instance). A bit
+# repetative, but easy to understand.
+mail_server_smtpd_submission_protocols:
+  SSLv2: ["SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  SSLv3: ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  TLSv1: ["TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  TLSv1.1: ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
+  TLSv1.2: ["TLSv1.2", "TLSv1.3"]
+  TLSv1.3: ["TLSv1.3"]