diff --git a/default.nix b/default.nix
index 1fc5e3a..9631a7b 100644
--- a/default.nix
+++ b/default.nix
@@ -325,6 +325,17 @@ in
       '';
     };
 
+    dhParamBitLength = mkOption {
+      type = types.int;
+      default = 2048;
+      description =
+        ''
+        Length of the Diffie Hillman prime used (in bits). It might be a good
+        idea to set this to 4096 for security purposed, but it will take a _very_
+        long time to create this prime on startup.
+        '';
+    };
+
     debug = mkOption {
       type = types.bool;
       default = false;
diff --git a/mail-server/dovecot-version.nix b/mail-server/dovecot-version.nix
new file mode 100644
index 0000000..4c00972
--- /dev/null
+++ b/mail-server/dovecot-version.nix
@@ -0,0 +1,12 @@
+{ dovecot, gawk, gnused, jq, runCommand }:
+
+runCommand "dovecot-version" {
+  buildInputs = [dovecot gnused jq];
+} ''
+  jq -n  \
+    --arg dovecot_version "$(dovecot --version |
+        sed 's/\([0-9.]*\).*/\1/' |
+        awk -F '.' '{ print $1"."$2"."$3 }')" \
+    '[$dovecot_version | split("."), ["major", "minor", "patch"]]
+       | transpose | map( { (.[1]): .[0] | tonumber }) | add' > $out
+''
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 0de7452..7bd52fa 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -24,6 +24,8 @@ let
   # maildir in format "/${domain}/${user}"
   dovecot_maildir = "maildir:${cfg.mailDirectory}/%d/%n";
 
+  dovecotVersion = builtins.fromJSON
+    (builtins.readFile (pkgs.callPackage ./dovecot-version.nix {}));
 in
 {
   config = with cfg; lib.mkIf enable {
@@ -61,6 +63,9 @@ in
 
         mail_access_groups = ${vmailGroupName}
         ssl = required
+        ${lib.optionalString (dovecotVersion.major == 2 && dovecotVersion.minor >= 3) ''
+          ssl_dh = <${certificateDirectory}/dh.pem
+        ''}
 
         service lmtp {
           unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix
index cfc73d8..a59e8ce 100644
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@@ -38,6 +38,14 @@ let
         ''
         else "";
 
+  createDhParameterFile =
+    ''
+      # Create a dh parameter file
+      ${pkgs.openssl}/bin/openssl \
+            dhparam ${builtins.toString cfg.dhParamBitLength} \
+            > "${cfg.certificateDirectory}/dh.pem"
+    '';
+
   createDomainDkimCert = dom:
     let
       dkim_key = "${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key";
@@ -82,6 +90,13 @@ in
       chmod 02770 "${mailDirectory}"
 
         ${create_certificate}
+
+        ${let
+           dovecotVersion = builtins.fromJSON
+             (builtins.readFile (pkgs.callPackage ./dovecot-version.nix {}));
+          in lib.optionalString
+            (dovecotVersion.major == 2 && dovecotVersion.minor >= 3)
+            createDhParameterFile}
       '';
     };
 
diff --git a/tests/extern.nix b/tests/extern.nix
index 3f6c88b..f68c2fb 100644
--- a/tests/extern.nix
+++ b/tests/extern.nix
@@ -27,6 +27,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
               enable = true;
               fqdn = "mail.example.com";
               domains = [ "example.com" "example2.com" ];
+              dhParamBitLength = 512;
 
               loginAccounts = {
                   "user1@example.com" = {
diff --git a/tests/intern.nix b/tests/intern.nix
index 76832a8..9facc44 100644
--- a/tests/intern.nix
+++ b/tests/intern.nix
@@ -27,6 +27,7 @@ import <nixpkgs/nixos/tests/make-test.nix> {
           enable = true;
           fqdn = "mail.example.com";
           domains = [ "example.com" ];
+          dhParamBitLength = 512;
 
           loginAccounts = {
               "user1@example.com" = {