diff --git a/tasks/mail/configure_postfix.yml b/tasks/mail/configure_postfix.yml
index f727be2acd25684bca56bd2d60c59b7a9817177f..cd1b11421aa4f0d175f5defd2c256410e1b3e9fe 100644
--- a/tasks/mail/configure_postfix.yml
+++ b/tasks/mail/configure_postfix.yml
@@ -16,4 +16,11 @@
       smtpd_recipient_restrictions =
       # smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination    # DEFAULT according to `man 5 postconf`
       smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
+
+      relayhost = [{{ mail_server }}]                                                       # mail server
+      disable_vrfy_command = yes                                                            # security: disable VRFY replies
+      smtpd_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2   # security: only TLS 1.3
+      smtpd_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2             # security: only TLS 1.3
+      smtp_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2    # security: only TLS 1.3
+      smtp_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2              # security: only TLS 1.3
   notify: restart postfix
diff --git a/tasks/main.yml b/tasks/main.yml
index 970025c6101ea317ed3541cae586287828ad2b59..03069c0075e65b88db184c31a886f91430f1ecec 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -6,6 +6,7 @@
     - "cron_apt.vault"
     - "exim.vault"
     - "groups.vault"
+    - "mail.vault"
     - "repos.vault"
     - "sudo.vault"
     - "syslog.vault"