diff --git a/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers b/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
index 0670643..6f1f6b7 100644
--- a/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }
 
diff --git a/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols b/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
index 2c1452f..dfb00a6 100644
--- a/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($qpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($qpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($qpsmtpd{TLSv1} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($qpsmtpd{TLSv1.1} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($qpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($qpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("qpsmtpd");
 }
diff --git a/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers b/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers
index 3d369a5..6f1f6b7 100644
--- a/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $sqpsmtpd{tlsCipher} || $uqpsmtpd{tlsCipher} ||$modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }
 
diff --git a/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols b/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols
index e780d74..5b4d405 100644
--- a/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/sqpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($sqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($sqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($sqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($sqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($sqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($sqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("sqpsmtpd");
 }
diff --git a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
index 5f182b9..6f1f6b7 100644
--- a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $uqpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }
 
diff --git a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
index 389d79c..7c5a9c7 100644
--- a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($uqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($uqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($uqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($uqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($uqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($uqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("uqpsmtpd");
 }
diff --git a/root/sbin/e-smith/systemd/qpsmtpd-init b/root/sbin/e-smith/systemd/qpsmtpd-init
index 3a3b469..623c67a 100755
--- a/root/sbin/e-smith/systemd/qpsmtpd-init
+++ b/root/sbin/e-smith/systemd/qpsmtpd-init
@@ -31,11 +31,11 @@ export QPSMTPD_CONFIG=/var/service/$ServiceName/config
     rm -f /var/service/qpsmtpd/config/badrcptto_patterns
 
 # Create dhparam
-[ -e /var/service/qpsmtpd/ssl/dhparam.pem ] || \
+[ -s /var/service/qpsmtpd/ssl/dhparam.pem ] || \
     RANDFILE=/dev/null /usr/bin/openssl dhparam -out /var/service/qpsmtpd/ssl/dhparam.pem 2048
 
 # Create a default dkim key pair
-[ -e /home/e-smith/dkim_keys/default/private ] || (\
+[ -s /home/e-smith/dkim_keys/default/private ] || (\
     RANDFILE=/dev/null /usr/bin/openssl genrsa -out /home/e-smith/dkim_keys/default/private 2048
     /usr/bin/openssl rsa -in /home/e-smith/dkim_keys/default/private \
         -out /home/e-smith/dkim_keys/default/public -pubout
diff --git a/smeserver-qpsmtpd.spec b/smeserver-qpsmtpd.spec
index 47d3160..c188fc0 100644
--- a/smeserver-qpsmtpd.spec
+++ b/smeserver-qpsmtpd.spec
@@ -4,7 +4,7 @@ Summary: SME Server qpsmtpd module
 %define name smeserver-qpsmtpd
 Name: %{name}
 %define version 11.0.0
-%define release 12
+%define release 13
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -32,7 +32,7 @@ Obsoletes: e-smith-qpsmtpd < %{version}
 Provides: e-smith-qpsmtpd
 Obsoletes: smeserver-qpsmtpd-tnef2mime < %{version}
 Provides: smeserver-qpsmtpd-tnef2mime
-Requires: smeserver-base >= 4.15.2
+Requires: smeserver-base >= 11.0.0-23
 Requires: perl-Convert-TNEF
 Requires: perl-IO-stringy
 Requires: perl-File-MMagic
@@ -45,6 +45,10 @@ AutoReqProv: no
 SME Server qpsmtpd smtpd module
 
 %changelog
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- use esmith::ssl to set ciphers and protocol [SME: 12822]
+  improve cipher order to get strongers first
+
 * Tue Jan 14 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
 - fix /bin/sh is needed because of pretrans scriptlet [SME: 12871]