diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index 01f6ff4a549772216490b3a342d7d45dd7a75416..f7d166c807aa89b062c3995acefd7127370b0052 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -9,6 +9,9 @@ smtp_allow_relay_from: []
 local_mail_aliases: {}
 imap_max_user_connections_per_ip: 10
 mail_server_minimum_tls_protocol: "TLSv1.2"
+
+# TLS_* ciphers are mandated by the TLSv1.3-related standards and
+# cannot be disabled when TLSv1.3 is enabled on the server.
 mail_server_tls_ciphers: "\
 DHE-RSA-AES128-GCM-SHA256:\
 DHE-RSA-AES256-GCM-SHA384:\
@@ -16,6 +19,9 @@ DHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-RSA-CHACHA20-POLY1305:\
+TLS_AES_128_GCM_SHA256:\
+TLS_AES_256_GCM_SHA384:\
+TLS_CHACHA20_POLY1305_SHA256:\
 !aNULL:!MD5:!EXPORT"
 mail_message_size_limit: 10240000
 mail_server_smtp_additional_configuration: ""