diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index bee6afb92e18eb7d02abce560bbd56e0be9b7d09..a8a19eab7a995f6e1eb2dd4fcc8ed8623dca1569 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -37,6 +37,7 @@
   with_items:
     - pop3s
     - imaps
+    - managesieve
   when: configure_firewall
   tags:
     - firewall
diff --git a/roles/dovecot/templates/dovecot.conf.j2 b/roles/dovecot/templates/dovecot.conf.j2
index 9e4d1adc77cf11d333acbf056315aad74e78fc3a..f0325523a0e93ec24ff24412889ed4542d0966d1 100644
--- a/roles/dovecot/templates/dovecot.conf.j2
+++ b/roles/dovecot/templates/dovecot.conf.j2
@@ -3,9 +3,6 @@ disable_plaintext_auth = yes
 mail_location = mdbox:~/.mdbox
 mail_plugins = $mail_plugins zlib notify mail_log
 
-# enable imap notify
-mailbox_list_index=yes
-
 # remove domain part from username and lowercase it
 auth_username_format = %Ln
 
@@ -48,6 +45,9 @@ plugin {
 
 	mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
 	mail_log_fields = uid box msgid size
+
+	zlib_save_level = 6
+	zlib_save = gz
 }
 protocols = imap pop3 sieve lmtp
 service auth {
@@ -73,18 +73,6 @@ service pop3-login {
     port = 0
   }
 }
-
-service managesieve-login {
-	inet_listener sieve {
-		# use default port
-		#port = 4190
-	}
-	inet_listener sieve-obsolete {
-		port = 2000
-	}
-}
-service managesieve {
-}
 service lmtp {
 	unix_listener /var/spool/postfix/private/dovecot-lmtp {
 		group = postfix
@@ -95,14 +83,15 @@ service lmtp {
 
 login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k"
 
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6
 ssl_cert = </etc/letsencrypt/live/{{mail_domain}}/fullchain.pem
 ssl_key = </etc/letsencrypt/live/{{mail_domain}}/privkey.pem
 ssl_prefer_server_ciphers = yes
-ssl_min_protocol = TLSv1
+ssl_min_protocol = TLSv1.2
 ssl_dh=</etc/dovecot/dh.pem
 ssl_options = no_compression
 
-ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 userdb {
 	driver = passwd
@@ -112,10 +101,6 @@ protocol imap {
 	mail_max_userip_connections = 30
 	mail_plugins = $mail_plugins
 }
-protocol lda {
-	mail_plugins = $mail_plugins sieve
-	postmaster_address = postmaster@archlinux.org
-}
 protocol lmtp {
 	postmaster_address = postmaster@archlinux.org
 	mail_plugins = $mail_plugins sieve
@@ -123,10 +108,3 @@ protocol lmtp {
 protocol sieve {
 	managesieve_logout_format = bytes ( in=%i : out=%o )
 }
-plugin {
-	sieve = ~/.dovecot.sieve
-	sieve_dir = ~/.sieve
-	zlib_save_level = 6
-	zlib_save = gz
-}
-auth_failure_delay = 2s