diff --git a/bundles/basic/items.py b/bundles/basic/items.py
index 197c952..e0f9242 100644
--- a/bundles/basic/items.py
+++ b/bundles/basic/items.py
@@ -29,6 +29,17 @@ files = {
     },
 }
 
+if node.has_any_bundle([
+    'dovecot',
+    'nginx',
+    'postfix',
+]):
+    actions['generate-dhparam'] = {
+        'command': 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
+        'unless': 'test -f /etc/ssl/certs/dhparam.pem',
+    }
+
+
 locale_needs = set()
 for locale in sorted(node.metadata.get('locale/installed')):
     actions[f'ensure_locale_{locale}_is_enabled'] = {
@@ -41,11 +52,9 @@ for locale in sorted(node.metadata.get('locale/installed')):
     }
     locale_needs = {f'action:ensure_locale_{locale}_is_enabled'}
 
-actions = {
-    'locale-gen': {
-        'triggered': True,
-        'command': 'locale-gen',
-    },
+actions['locale-gen'] = {
+    'triggered': True,
+    'command': 'locale-gen',
 }
 
 description = []
diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf
index 19dea4f..804c6a9 100644
--- a/bundles/dovecot/files/dovecot.conf
+++ b/bundles/dovecot/files/dovecot.conf
@@ -28,13 +28,13 @@ namespace inbox {
 mail_location = maildir:/var/mail/vmail/%d/%n
 protocols = imap lmtp sieve
 
-ssl = yes
+ssl = required
 ssl_cert = </var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/fullchain.pem
 ssl_key =  </var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/privkey.pem
-ssl_dh = </etc/dovecot/ssl/dhparam.pem
+ssl_dh = </etc/ssl/certs/dhparam.pem
 ssl_min_protocol = TLSv1.2
-ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
-ssl_prefer_server_ciphers = yes
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+ssl_prefer_server_ciphers = no
 
 login_greeting = IMAPd ready
 auth_mechanisms = plain login
diff --git a/bundles/dovecot/items.py b/bundles/dovecot/items.py
index 6c14a79..c22f886 100644
--- a/bundles/dovecot/items.py
+++ b/bundles/dovecot/items.py
@@ -2,10 +2,6 @@
 # by this bundle
 repo.libs.tools.require_bundle(node, 'postfix')
 
-directories = {
-    '/etc/dovecot/ssl': {},
-}
-
 files = {
     '/etc/dovecot/dovecot.conf': {
         'content_type': 'mako',
@@ -56,25 +52,10 @@ symlinks['/usr/lib/dovecot/decode2text.sh'] = {
     },
 }
 
-actions = {
-    'dovecot_generate_dhparam': {
-        'command': 'openssl dhparam -out /etc/dovecot/ssl/dhparam.pem 2048',
-        'unless': 'test -f /etc/dovecot/ssl/dhparam.pem',
-        'cascade_skip': False,
-        'needs': {
-            'directory:/etc/dovecot/ssl',
-            'pkg_apt:'
-        },
-        'triggers': {
-            'svc_systemd:dovecot:restart',
-        },
-    },
-}
-
 svc_systemd = {
     'dovecot': {
         'needs': {
-            'action:dovecot_generate_dhparam',
+            'action:generate-dhparam',
             'file:/etc/dovecot/dovecot.conf',
             'file:/etc/dovecot/dovecot-sql.conf',
         },
diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index 2e994e7..a60b79e 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -82,12 +82,13 @@ server {
     ssl_certificate /etc/nginx/ssl/${vhost}.crt;
     ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
 %  endif
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_prefer_server_ciphers off;
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
     ssl_session_tickets off;
+    ssl_session_timeout 1d;
 
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 % endif
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index 2de11db..53edc86 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -78,17 +78,10 @@ if node.has_bundle('pacman'):
         },
     }
 
-actions = {
-    'nginx-generate-dhparam': {
-        'command': 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
-        'unless': 'test -f /etc/ssl/certs/dhparam.pem',
-    },
-}
-
 svc_systemd = {
     'nginx': {
         'needs': {
-            'action:nginx-generate-dhparam',
+            'action:generate-dhparam',
             'directory:/var/log/nginx-timing',
             package,
         },
diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf
index cb7f95c..44161bc 100644
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@@ -51,16 +51,15 @@ smtpd_data_restrictions = reject_unauth_pipelining
 smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients
 smtpd_relay_before_recipient_restrictions = yes
 
-# generated using mozilla ssl generator, using "old" configuration.
-# we need this to support CentOS 7 systems, sadly ...
-# https://ssl-config.mozilla.org/#server=postfix&version=3.5.13&config=old&openssl=1.1.1k&guideline=5.6
+# https://ssl-config.mozilla.org/#server=postfix&version=3.7.10&config=intermediate&openssl=3.0.11&guideline=5.7
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2, !SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_mandatory_ciphers = medium
-tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
-tls_preempt_cipherlist = yes
+smtpd_tls_dh1024_param_file = /etc/ssl/certs/dhparam.pem;
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+tls_preempt_cipherlist = no
 </%text>
 
 relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf