diff --git a/modules/mailserver.nix b/modules/mailserver.nix
index 8ef9056..2a8c287 100644
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@@ -111,8 +111,10 @@ in
     # Firewall
     networking.firewall.allowedTCPPorts = [
       143 # IMAP
+      993 # IMAP (implicit TLS)
       25 # SMTP
       587 # SMTP submission
+      465 # SMTP submission (implicit TLS)
     ];
 
     # Service dependencies
@@ -186,7 +188,8 @@ in
       {
         enable = true;
 
-        enableSubmission = true;
+        enableSubmission = true; # plain/STARTTLS (latter is forced in submissionOptions)
+        enableSubmissions = true; # submission with implicit TLS (TCP/465)
 
         hostname = cfg.fqdn;
         networksStyle = "host";
@@ -257,6 +260,7 @@ in
           non_smtpd_milters = lib.mkIf cfg.dkim.enable (lib.singleton "unix:/run/opendkim/opendkim.sock");
         };
 
+        # plain/STARTTLS (forced with smtpd_tls_security_level)
         submissionOptions = {
           smtpd_tls_security_level = "encrypt";
           smtpd_sasl_auth_enable = "yes";
@@ -278,6 +282,8 @@ in
 
           cleanup_service_name = "submission-header-cleanup";
         };
+        # implicit TLS
+        submissionsOptions = config.services.postfix.submissionOptions;
 
         masterConfig = {
           submission-header-cleanup = {