diff --git a/ansible/ispmail.yml b/ansible/ispmail.yml
index 2903d79..25782f8 100644
--- a/ansible/ispmail.yml
+++ b/ansible/ispmail.yml
@@ -19,8 +19,10 @@
       tags: certificate
     - role: ispmail-database
       tags: database
-    #  - ispmail-postfix
-    #  - ispmail-dovecot
+    - role: ispmail-postfix
+      tags: postfix
+    - role: ispmail-dovecot
+      tags: dovecot
     - role: ispmail-webmail-apache-roundcube
       tags: roundcube
     #  - ispmail-webmail-apache-horde
diff --git a/ansible/roles/ispmail-dovecot/files/10-auth.conf b/ansible/roles/ispmail-dovecot/files/10-auth.conf
new file mode 100644
index 0000000..9757224
--- /dev/null
+++ b/ansible/roles/ispmail-dovecot/files/10-auth.conf
@@ -0,0 +1,128 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain login
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext
diff --git a/ansible/roles/ispmail-dovecot/files/10-mail.conf b/ansible/roles/ispmail-dovecot/files/10-mail.conf
index 3ef99fc..a660cb9 100644
--- a/ansible/roles/ispmail-dovecot/files/10-mail.conf
+++ b/ansible/roles/ispmail-dovecot/files/10-mail.conf
@@ -28,7 +28,7 @@
 # <doc/wiki/MailLocation.txt>
 #
 #mail_location = mbox:~/mail:INBOX=/var/mail/%u
-mail_location = maildir:/var/vmail/%d/%n/Maildir
+mail_location = maildir:~/Maildir
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
@@ -47,12 +47,11 @@ namespace inbox {
   # Hierarchy separator to use. You should use the same separator for all
   # namespaces or some clients get confused. '/' is usually a good one.
   # The default however depends on the underlying mail storage format.
-  #separator =
   separator = .
 
   # Prefix required to access this namespace. This needs to be different for
   # all namespaces. For example "Public/".
-  #prefix =
+  #prefix = 
 
   # Physical location of the mailbox. This is in same format as
   # mail_location, which is also the default for it.
@@ -78,14 +77,7 @@ namespace inbox {
   # namespace handles them (empty prefix should always have this as "yes")
   #subscriptions = yes
 
-#  mailbox INBOX.Junk {
-#    auto = subscribe # autocreate and autosubscribe the Junk mailbox
-#    special_use = \Junk
-#  }
-#  mailbox INBOX.Trash {
-#    auto = subscribe # autocreate and autosubscribe the Trash mailbox
-#    special_use = \Trash
-#  }
+  # See 15-mailboxes.conf for definitions of special mailboxes.
 }
 
 # Example shared namespace configuration
@@ -120,7 +112,7 @@ namespace inbox {
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
 # Typically this is set to "mail" to give access to /var/mail.
-#mail_privileged_group =
+mail_privileged_group = mail
 
 # Grant access to these supplementary groups for mail processes. Typically
 # these are used to set up access to shared mailboxes. Note that it may be
@@ -135,10 +127,22 @@ namespace inbox {
 # or ~user/.
 #mail_full_filesystem_access = no
 
-# Dictionary for key=value mailbox attributes. Currently used by URLAUTH, but
-# soon intended to be used by METADATA as well.
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
 #mail_attribute_dict =
 
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment". 
+#mail_server_comment = ""
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+#mail_server_admin = 
+
 ##
 ## Mail processes
 ##
@@ -162,7 +166,10 @@ namespace inbox {
 # methods. NFS users: flock doesn't work, remember to change mmap_disable.
 #lock_method = fcntl
 
-# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+# Directory where mails can be temporarily stored. Usually it's used only for
+# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
+# example LDA/LMTP while delivering large mails or zlib plugin for keeping
+# uncompressed mails.
 #mail_temp_dir = /tmp
 
 # Valid UID range for users, defaults to 500 and above. This is mostly
@@ -190,7 +197,7 @@ namespace inbox {
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs =
+#valid_chroot_dirs = 
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@@ -198,7 +205,7 @@ namespace inbox {
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot =
+#mail_chroot = 
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@@ -209,7 +216,7 @@ namespace inbox {
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-#mail_plugins =
+#mail_plugins = 
 
 ##
 ## Mailbox handling optimizations
@@ -217,7 +224,16 @@ namespace inbox {
 
 # Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
 # also required for IMAP NOTIFY extension to be enabled.
-#mailbox_list_index = no
+#mailbox_list_index = yes
+
+# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
+# of potentially returning out-of-date results after e.g. server crashes.
+# The results will be automatically fixed once the folders are opened.
+#mailbox_list_index_very_dirty_syncs = yes
+
+# Should INBOX be kept up-to-date in the mailbox list index? By default it's
+# not, because most of the mailbox accesses will open INBOX anyway.
+#mailbox_list_index_include_inbox = no
 
 # The minimum number of mails in a mailbox before updates are done to cache
 # file. This allows optimizing Dovecot's behavior to do less disk writes at
@@ -226,7 +242,7 @@ namespace inbox {
 
 # When IDLE command is running, mailbox is checked once in a while to see if
 # there are any new mails or other changes. This setting defines the minimum
-# time to wait between those checks. Dovecot can also use dnotify, inotify and
+# time to wait between those checks. Dovecot can also use inotify and
 # kqueue to find out immediately when changes occur.
 #mailbox_idle_check_interval = 30 secs
 
@@ -245,6 +261,19 @@ namespace inbox {
 # These should exist only after Dovecot dies in the middle of saving mails.
 #mail_temp_scan_interval = 1w
 
+# How many slow mail accesses sorting can perform before it returns failure.
+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
+# The untagged SORT reply is still returned, but it's likely not correct.
+#mail_sort_max_read_count = 0
+
+protocol !indexer-worker {
+  # If folder vsize calculation requires opening more than this many mails from
+  # disk (i.e. mail sizes aren't in cache already), return failure and finish
+  # the calculation via indexer process. Disabled by default. This setting must
+  # be 0 for indexer-worker processes.
+  #mail_vsize_bg_after_count = 0
+}
+
 ##
 ## Maildir-specific settings
 ##
@@ -315,7 +344,7 @@ namespace inbox {
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
 # commands.
 #mbox_dirty_syncs = yes
 
@@ -344,7 +373,7 @@ namespace inbox {
 ##
 
 # Maximum dbox file size until it's rotated.
-#mdbox_rotate_size = 2M
+#mdbox_rotate_size = 10M
 
 # Maximum dbox file age until it's rotated. Typically in days. Day begins
 # from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
@@ -380,3 +409,13 @@ namespace inbox {
 # variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
 # Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
 #mail_attachment_hash = %{sha1}
+
+# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
+# By default, all MIME parts with Content-Disposition=attachment, or inlines
+# with filename parameter are consired attachments.
+#   add-flags-on-save - Add the keywords when saving new mails.
+#   content-type=type or !type - Include/exclude content type. Excluding will
+#     never consider the matched MIME part as attachment. Including will only
+#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
+#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
+#mail_attachment_detection_options =
diff --git a/ansible/roles/ispmail-dovecot/files/10-master.conf b/ansible/roles/ispmail-dovecot/files/10-master.conf
index ff5d9f8..c3122a3 100644
--- a/ansible/roles/ispmail-dovecot/files/10-master.conf
+++ b/ansible/roles/ispmail-dovecot/files/10-master.conf
@@ -45,6 +45,12 @@ service pop3-login {
   }
 }
 
+service submission-login {
+  inet_listener submission {
+    #port = 587
+  }
+}
+
 service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
@@ -56,7 +62,7 @@ service lmtp {
   #inet_listener lmtp {
     # Avoid making LMTP visible for the entire internet
     #address =
-    #port =
+    #port = 
   #}
 }
 
@@ -74,6 +80,11 @@ service pop3 {
   #process_limit = 1024
 }
 
+service submission {
+  # Max. number of SMTP Submission processes (connections)
+  #process_limit = 1024
+}
+
 service auth {
   # auth_socket_path points to this userdb socket by default. It's typically
   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
@@ -88,19 +99,17 @@ service auth {
   # To give the caller full permissions to lookup all users, set the mode to
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
-  unix_listener auth-userdb {
-    #mode = 0666
-    #user =
-    #group =
-  }
-
-  # Postfix smtp-auth
   unix_listener /var/spool/postfix/private/auth {
-    mode = 0666
+    mode = 0660
     user = postfix
     group = postfix
   }
 
+  # Postfix smtp-auth
+  #unix_listener /var/spool/postfix/private/auth {
+  #  mode = 0666
+  #}
+
   # Auth process is run as this user.
   #user = $default_internal_user
 }
@@ -117,7 +126,7 @@ service dict {
   # For example: mode=0660, group=vmail and global mail_access_groups=vmail
   unix_listener dict {
     #mode = 0600
-    #user =
-    #group =
+    #user = 
+    #group = 
   }
 }
diff --git a/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf b/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
deleted file mode 100644
index 243ce55..0000000
--- a/ansible/roles/ispmail-dovecot/files/15-mailboxes.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-##
-## Mailbox definitions
-##
-
-# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
-namespace inbox {
-
-  #mailbox name {
-    # auto=create will automatically create this mailbox.
-    # auto=subscribe will both create and subscribe to the mailbox.
-    #auto = no
-
-    # Space separated list of IMAP SPECIAL-USE attributes as specified by
-    # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash
-    #special_use =
-  #}
-
-  # These mailboxes are widely used and could perhaps be created automatically:
-  #mailbox Drafts {
-  #  special_use = \Drafts
-  #}
-  mailbox INBOX.Junk {
-    auto = subscribe
-    special_use = \Junk
-  }
-  mailbox INBOX.Trash {
-    auto = subscribe
-    special_use = \Trash
-  }
-
-
-  # For \Sent mailboxes there are two widely used names. We'll mark both of
-  # them as \Sent. User typically deletes one of them if duplicates are created.
-  mailbox INBOX.Sent {
-    special_use = \Sent
-  }
-  #mailbox "Sent Messages" {
-  #  special_use = \Sent
-  #}
-
-  # If you have a virtual "All messages" mailbox:
-  #mailbox virtual/All {
-  #  special_use = \All
-  #}
-
-  # If you have a virtual "Flagged" mailbox:
-  #mailbox virtual/Flagged {
-  #  special_use = \Flagged
-  #}
-}
diff --git a/ansible/roles/ispmail-dovecot/files/20-lmtp.conf b/ansible/roles/ispmail-dovecot/files/20-lmtp.conf
index cd3caaf..6a691ec 100644
--- a/ansible/roles/ispmail-dovecot/files/20-lmtp.conf
+++ b/ansible/roles/ispmail-dovecot/files/20-lmtp.conf
@@ -13,8 +13,14 @@
 # Verify quota before replying to RCPT TO. This adds a small overhead.
 #lmtp_rcpt_check_quota = no
 
+# Which recipient address to use for Delivered-To: header and Received:
+# header. The default is "final", which is the same as the one given to
+# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
+# parameter, "none" uses nothing. Note that "none" is currently always used
+# when a mail has multiple recipients.
+#lmtp_hdr_delivery_address = final
+
 protocol lmtp {
   # Space separated list of plugins to load (default is global mail_plugins).
-  #mail_plugins = $mail_plugins
   mail_plugins = $mail_plugins sieve
 }
diff --git a/ansible/roles/ispmail-dovecot/files/90-sieve.conf b/ansible/roles/ispmail-dovecot/files/90-sieve.conf
index 566f53e..6a2be9e 100644
--- a/ansible/roles/ispmail-dovecot/files/90-sieve.conf
+++ b/ansible/roles/ispmail-dovecot/files/90-sieve.conf
@@ -5,39 +5,81 @@
 # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
 # by adding it to the respective mail_plugins= settings.
 
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the 
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
 plugin {
-  # The path to the user's main active script. If ManageSieve is used, this the
-  # location of the symbolic link controlled by ManageSieve.
-  sieve = ~/.dovecot.sieve
-
-  # The default Sieve script when the user has none. This is a path to a global
-  # sieve script file, which gets executed ONLY if user's private Sieve script
-  # doesn't exist. Be sure to pre-compile this script manually using the sievec
-  # command line tool.
-  # --> See sieve_before fore executing scripts before the user's personal
+  # The location of the user's main Sieve script or script storage. The LDA
+  # Sieve plugin uses this to find the active script for Sieve filtering at
+  # delivery. The "include" extension uses this location for retrieving
+  # :personal" scripts. This is also where the  ManageSieve service will store
+  # the user's scripts, if supported.
+  # 
+  # Currently only the 'file:' location type supports ManageSieve operation.
+  # Other location types like 'dict:' and 'ldap:' can currently only
+  # be used as a read-only script source ().
+  #
+  # For the 'file:' type: use the ';active=' parameter to specify where the
+  # active script symlink is located.
+  # For other types: use the ';name=' parameter to specify the name of the
+  # default/active script.
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+
+  # The default Sieve script when the user has none. This is the location of a
+  # global sieve script file, which gets executed ONLY if user's personal Sieve
+  # script doesn't exist. Be sure to pre-compile this script manually using the
+  # sievec command line tool if the binary is not stored in a global location.
+  # --> See sieve_before for executing scripts before the user's personal
   #     script.
   #sieve_default = /var/lib/dovecot/sieve/default.sieve
 
-  # Directory for :personal include scripts for the include extension. This
-  # is also where the ManageSieve service stores the user's scripts.
-  sieve_dir = ~/sieve
-
-  # Directory for :global include scripts for the include extension.
-  #sieve_global_dir =
-
-  # Path to a script file or a directory containing script files that need to be
-  # executed before the user's script. If the path points to a directory, all
-  # the Sieve scripts contained therein (with the proper .sieve extension) are
-  # executed. The order of execution within a directory is determined by the
-  # file names, using a normal 8bit per-character comparison. Multiple script
-  # file or directory paths can be specified by appending an increasing number.
-  #sieve_before =
-  #sieve_before2 =
+  # The name by which the default Sieve script (as configured by the 
+  # sieve_default setting) is visible to the user through ManageSieve. 
+  #sieve_default_name = 
+
+  # Location for ":global" include scripts as used by the "include" extension.
+  #sieve_global =
+
+  # The location of a Sieve script that is run for any message that is about to
+  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
+  # execution. This only happens when the "implicit keep" is canceled, by e.g.
+  # the "discard" action, and no actions that deliver the message are executed.
+  # This "discard script" can prevent discarding the message, by executing
+  # alternative actions. If the discard script does nothing, the message is
+	# still discarded as it would be when no discard script is configured.
+  #sieve_discard =
+
+  # Location Sieve of scripts that need to be executed before the user's
+  # personal script. If a 'file' location path points to a directory, all the 
+  # Sieve scripts contained therein (with the proper `.sieve' extension) are
+  # executed. The order of execution within that directory is determined by the
+  # file names, using a normal 8bit per-character comparison.
+  #
+  # Multiple script locations can be specified by appending an increasing number
+  # to the setting name. The Sieve scripts found from these locations are added
+  # to the script execution sequence in the specified order. Reading the
+  # numbered sieve_before settings stops at the first missing setting, so no
+  # numbers may be skipped.
+  #sieve_before = /var/lib/dovecot/sieve.d/
+  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
   #sieve_before3 = (etc...)
 
   # Identical to sieve_before, only the specified scripts are executed after the
-  # user's script (only when keep is still in effect!). Multiple script file or
-  # directory paths can be specified by appending an increasing number.
+  # user's script (only when keep is still in effect!). Multiple script
+  # locations can be specified by appending an increasing number.
   #sieve_after =
   #sieve_after2 =
   #sieve_after2 = (etc...)
@@ -49,7 +91,7 @@ plugin {
   # to disable certain Sieve extensions or enable those that are not available
   # by default. This setting can use '+' and '-' to specify differences relative
   # to the default. For example `sieve_extensions = +imapflags' will enable the
-	# deprecated imapflags extension in addition to all extensions were already
+  # deprecated imapflags extension in addition to all extensions were already
   # enabled by default.
   #sieve_extensions = +notify +imapflags
 
@@ -69,7 +111,7 @@ plugin {
   # setting, the used plugins can be specified. Check the Dovecot wiki
   # (wiki2.dovecot.org) or the pigeonhole website
   # (http://pigeonhole.dovecot.org) for available plugins.
-	# The sieve_extprograms plugin is included in this release.
+  # The sieve_extprograms plugin is included in this release.
   #sieve_plugins =
 
   # The separator that is expected between the :user and :detail
@@ -103,4 +145,71 @@ plugin {
   # set to 0, no limit on the used amount of disk storage is enforced.
   # (Currently only relevant for ManageSieve)
   #sieve_quota_max_storage = 0
+
+  # The primary e-mail address for the user. This is used as a default when no
+  # other appropriate address is available for sending messages. If this setting
+  # is not configured, either the postmaster or null "<>" address is used as a
+  # sender, depending on the action involved. This setting is important when
+  # there is no message envelope to extract addresses from, such as when the
+  # script is executed in IMAP.
+  #sieve_user_email =
+
+  # The path to the file where the user log is written. If not configured, a
+  # default location is used. If the main user's personal Sieve (as configured
+  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
+  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
+  #sieve_user_log =
+
+  # Specifies what envelope sender address is used for redirected messages.
+  # The following values are supported for this setting:
+  #
+  #   "sender"         - The sender address is used (default).
+  #   "recipient"      - The final recipient address is used.
+  #   "orig_recipient" - The original recipient is used.
+  #   "user_email"     - The user's primary address is used. This is
+  #                      configured with the "sieve_user_email" setting. If
+  #                      that setting is unconfigured, "user_mail" is equal to
+  #                      "recipient".
+  #   "postmaster"     - The postmaster_address configured for the LDA.
+  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
+  #                      The angle brackets are mandatory. The null "<>" address
+  #                      is also supported.
+  #
+  # This setting is ignored when the envelope sender is "<>". In that case the
+  # sender of the redirected message is also always "<>".
+  #sieve_redirect_envelope_from = sender
+
+  ## TRACE DEBUGGING
+  # Trace debugging provides detailed insight in the operations performed by
+  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
+  # IMAPSIEVE plugin. 
+  #
+  # WARNING: On a busy server, this functionality can quickly fill up the trace
+  # directory with a lot of trace files. Enable this only temporarily and as
+  # selective as possible.
+  
+  # The directory where trace files are written. Trace debugging is disabled if
+  # this setting is not configured or if the directory does not exist. If the 
+  # path is relative or it starts with "~/" it is interpreted relative to the
+  # current user's home directory.
+  #sieve_trace_dir =
+  
+  # The verbosity level of the trace messages. Trace debugging is disabled if
+  # this setting is not configured. Possible values are:
+  #
+  #   "actions"        - Only print executed action commands, like keep,
+  #                      fileinto, reject and redirect.
+  #   "commands"       - Print any executed command, excluding test commands.
+  #   "tests"          - Print all executed commands and performed tests.
+  #   "matching"       - Print all executed commands, performed tests and the
+  #                      values matched in those tests.
+  #sieve_trace_level =
+  
+  # Enables highly verbose debugging messages that are usually only useful for
+  # developers.
+  #sieve_trace_debug = no
+  
+  # Enables showing byte code addresses in the trace output, rather than only
+  # the source line numbers.
+  #sieve_trace_addresses = no 
 }
diff --git a/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext b/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext
index 4a0537b..93200fe 100644
--- a/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext
+++ b/ansible/roles/ispmail-dovecot/files/auth-sql.conf.ext
@@ -21,6 +21,11 @@ userdb {
   args = uid=vmail gid=vmail home=/var/vmail/%d/%n
 }
 
+#userdb {
+#  driver = sql
+#  args = /etc/dovecot/dovecot-sql.conf.ext
+#}
+
 # If you don't have any user-specific settings, you can avoid the user_query
 # by using userdb static instead of userdb sql, for example:
 # <doc/wiki/UserDatabase.Static.txt>
@@ -28,4 +33,3 @@ userdb {
   #driver = static
   #args = uid=vmail gid=vmail home=/var/vmail/%u
 #}
-
diff --git a/ansible/roles/ispmail-dovecot/handlers/main.yml b/ansible/roles/ispmail-dovecot/handlers/main.yml
index 20efc03..15f975d 100644
--- a/ansible/roles/ispmail-dovecot/handlers/main.yml
+++ b/ansible/roles/ispmail-dovecot/handlers/main.yml
@@ -3,4 +3,3 @@
   service: name=dovecot state=restarted
 - name: recompile sieve script
   command: sievec /etc/dovecot/sieve-after
-
diff --git a/ansible/roles/ispmail-dovecot/tasks/main.yml b/ansible/roles/ispmail-dovecot/tasks/main.yml
index 41bd456..ed93b1f 100644
--- a/ansible/roles/ispmail-dovecot/tasks/main.yml
+++ b/ansible/roles/ispmail-dovecot/tasks/main.yml
@@ -5,14 +5,8 @@
   user: name=vmail uid=5000 group=vmail home=/var/vmail
 - name: Create mailbox directory
   file: path=/var/vmail state=directory owner=vmail group=vmail
-- name: Allow LOGIN authentication method for Outlook clients
-  lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^auth_mechanisms =' line='auth_mechanisms = {{ispmail_dovecot_auth_mechanisms}}' backrefs=yes
-  notify: restart dovecot
-- name: Disabling system authentication
-  lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^!include auth-system.conf.ext' line='#!include auth-system.conf.ext' backrefs=yes
-  notify: restart dovecot
-- name: Enabling SQL-based authentication
-  lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf regexp='^\#!include auth-sql.conf.ext' line='!include auth-sql.conf.ext' backrefs=yes
+- name: Copying SQL authentication configuration (auth-sql.conf.ext)
+  copy: src=10-auth.conf dest=/etc/dovecot/conf.d/10-auth.conf
   notify: restart dovecot
 - name: Copying SQL authentication configuration (auth-sql.conf.ext)
   copy: src=auth-sql.conf.ext dest=/etc/dovecot/conf.d/auth-sql.conf.ext
@@ -24,15 +18,12 @@
   copy: src=10-master.conf dest=/etc/dovecot/conf.d/10-master.conf
   notify: restart dovecot
 - name: Copying SSL configuration (10-ssl.conf)
-  copy: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
+  template: src=10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf
   notify: restart dovecot
 - name: Copying LMTP configuration (20-lmtp.conf - enable sieve plugin)
   copy: src=20-lmtp.conf dest=/etc/dovecot/conf.d/20-lmtp.conf
   notify: restart dovecot
-- name: Copying mailboxes configuration (15-mailboxes.conf - autocreate folders)
-  copy: src=15-mailboxes.conf dest=/etc/dovecot/conf.d/15-mailboxes.conf
-  notify: restart dovecot
-- name: Copying SQL access configuration (dovecot-ssql.conf.ext)
+- name: Copying SQL access configuration (dovecot-sql.conf.ext)
   template: src=dovecot-sql.conf.ext.j2 dest=/etc/dovecot/dovecot-sql.conf.ext
   notify: restart dovecot
 - name: Fixing ownership and mode of dovecot.conf
@@ -49,4 +40,3 @@
 - name: Copying Sieve plugin configuration (90-sieve.conf)
   copy: src=90-sieve.conf dest=/etc/dovecot/conf.d/90-sieve.conf
   notify: restart dovecot
-
diff --git a/ansible/roles/ispmail-dovecot/files/10-ssl.conf b/ansible/roles/ispmail-dovecot/templates/10-ssl.conf
similarity index 55%
rename from ansible/roles/ispmail-dovecot/files/10-ssl.conf
rename to ansible/roles/ispmail-dovecot/templates/10-ssl.conf
index 47ca04c..abc8c90 100644
--- a/ansible/roles/ispmail-dovecot/files/10-ssl.conf
+++ b/ansible/roles/ispmail-dovecot/templates/10-ssl.conf
@@ -3,6 +3,7 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+#ssl = yes
 ssl = required
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
@@ -12,6 +13,10 @@ ssl = required
 ssl_cert = </etc/ssl/certs/mailserver.pem
 ssl_key = </etc/ssl/private/mailserver.pem
 
+# When using Let's Encrypt use these lines instead:
+# ssl_cert = </etc/letsencrypt/live/webmail.example.org/fullchain.pem
+# ssl_key = </etc/letsencrypt/live/webmail.example.org/privkey.pem
+
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
 # world-readable, you may want to place this setting instead to a different
@@ -27,10 +32,11 @@ ssl_key = </etc/ssl/private/mailserver.pem
 #ssl_require_crl = yes
 
 # Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
-# directory is usually /etc/ssl/certs in Debian-based systems and the file is
-# /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
 #ssl_client_ca_file =
 
 # Request client to send a certificate. If you also want to require it, set
@@ -42,17 +48,33 @@ ssl_key = </etc/ssl/private/mailserver.pem
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName
 
-# DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </usr/share/dovecot/dh.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+#ssl_min_protocol = TLSv1
 
-# SSL protocols to use
-#ssl_protocols = !SSLv2
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
-# SSL ciphers to use
-#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
 
 # Prefer the server's order of ciphers over client's.
 #ssl_prefer_server_ciphers = no
 
 # SSL crypto device to use, for valid values run "openssl engine"
 #ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
diff --git a/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2 b/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2
index 568975a..423a5e4 100644
--- a/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2
+++ b/ansible/roles/ispmail-dovecot/templates/dovecot-sql.conf.ext.j2
@@ -37,7 +37,7 @@
 # settings, like: host=sql1.host.org host=sql2.host.org
 #
 # pgsql:
-#   For available options, see the PostgreSQL documention for the
+#   For available options, see the PostgreSQL documentation for the
 #   PQconnectdb function of libpq.
 #   Use maxconns=n (default 5) to change how many connections Dovecot can
 #   create to pgsql.
@@ -48,6 +48,9 @@
 #
 #   But also adds some new settings:
 #     client_flags           - See MySQL manual
+#     connect_timeout        - Connect timeout in seconds (default: 5)
+#     read_timeout           - Read timeout in seconds (default: 30)
+#     write_timeout          - Write timeout in seconds (default: 30)
 #     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
 #     ssl_cert, ssl_key      - For sending client-side certificates to server
 #     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
@@ -141,7 +144,5 @@
 #iterate_query = SELECT username AS user FROM users
 
 driver = mysql
-connect = host=127.0.0.1 dbname=mailserver user=mailuser password={{ispmail_mysql_mailserver_password}}
-default_pass_scheme = SHA256-CRYPT
+connect = host=127.0.0.1 dbname=mailserver user=mailserver password = {{ispmail_mysql_mailserver_password}}
 password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
-
diff --git a/ansible/roles/ispmail-postfix/files/master.cf b/ansible/roles/ispmail-postfix/files/master.cf
index c2df31b..adceda6 100644
--- a/ansible/roles/ispmail-postfix/files/master.cf
+++ b/ansible/roles/ispmail-postfix/files/master.cf
@@ -20,9 +20,6 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_tls_auth_only=yes
   -o smtpd_reject_unlisted_recipient=no
-#  -o smtpd_client_restrictions=$mua_client_restrictions
-#  -o smtpd_helo_restrictions=$mua_helo_restrictions
-#  -o smtpd_sender_restrictions=$mua_sender_restrictions
   -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
diff --git a/ansible/roles/ispmail-postfix/handlers/main.yml b/ansible/roles/ispmail-postfix/handlers/main.yml
index 9398ba4..ec7fb05 100644
--- a/ansible/roles/ispmail-postfix/handlers/main.yml
+++ b/ansible/roles/ispmail-postfix/handlers/main.yml
@@ -1,6 +1,3 @@
 ---
 - name: restart postfix
   service: name=postfix state=restarted
-
-- name: restart spamassassin
-  service: name=spamassassin state=restarted
diff --git a/ansible/roles/ispmail-postfix/tasks/main.yml b/ansible/roles/ispmail-postfix/tasks/main.yml
index d60c0af..24453d6 100644
--- a/ansible/roles/ispmail-postfix/tasks/main.yml
+++ b/ansible/roles/ispmail-postfix/tasks/main.yml
@@ -76,23 +76,6 @@
 - name: Set TLS encryption key
   command: postconf smtpd_tls_key_file=/etc/ssl/private/mailserver.pem
 
-# - name: Enabling Spamassassin milter
-#   command: postconf smtpd_milters=unix:/spamass/spamass.sock
-
-# - name: Configuring Spamassassin milter
-#   command: postconf milter_connect_macros="i j {daemon_name} v {if_name} _"
-
-# - name: Setting spamd options
-#   copy: src=etc-default-spamassassin dest=/etc/default/spamassassin
-#   notify: restart spamassassin
-
-# - name: Adding user spamass-milter to debian-spamd group
-#   user: name=spamass-milter groups=debian-spamd
-#   notify: restart spamassassin
-
-# - name: Enabling spamd at startup
-#   command: systemctl enable spamassassin
-
 - name: Allow emails up to 40 MB large
   command: postconf message_size_limit=41943040
 
diff --git a/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2
index cdf6cee..7303edf 100644
--- a/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2
+++ b/ansible/roles/ispmail-postfix/templates/mysql-email2email.cf.j2
@@ -1,4 +1,4 @@
-user = mailuser
+user = mailserver
 password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
diff --git a/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2
index 9aad48d..1a4c889 100644
--- a/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2
+++ b/ansible/roles/ispmail-postfix/templates/mysql-virtual-alias-maps.cf.j2
@@ -1,4 +1,4 @@
-user = mailuser
+user = mailserver
 password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
diff --git a/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2
index bca5edb..5f791b4 100644
--- a/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2
+++ b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-domains.cf.j2
@@ -1,4 +1,4 @@
-user = mailuser
+user = mailserver
 password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
diff --git a/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2 b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2
index 46ced80..f4e2161 100644
--- a/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2
+++ b/ansible/roles/ispmail-postfix/templates/mysql-virtual-mailbox-maps.cf.j2
@@ -1,4 +1,4 @@
-user = mailuser
+user = mailserver
 password = {{ispmail_mysql_mailserver_password}}
 hosts = 127.0.0.1
 dbname = mailserver
diff --git a/ansible/roles/ispmail-webmail-apache-roundcube/templates/roundcube-password-config.inc.php.j2 b/ansible/roles/ispmail-webmail-apache-roundcube/templates/roundcube-password-config.inc.php.j2
index f8bcc1d..7096916 100644
--- a/ansible/roles/ispmail-webmail-apache-roundcube/templates/roundcube-password-config.inc.php.j2
+++ b/ansible/roles/ispmail-webmail-apache-roundcube/templates/roundcube-password-config.inc.php.j2
@@ -43,7 +43,7 @@ $config['password_force_new_user'] = false;
 // ------------------
 // PEAR database DSN for performing the query. By default
 // Roundcube DB settings are used.
-$config['password_db_dsn'] = 'mysql://mailuser:{{ispmail_mysql_mailserver_password}}@127.0.0.1/mailserver';
+$config['password_db_dsn'] = 'mysql://mailserver:{{ispmail_mysql_mailserver_password}}@127.0.0.1/mailserver';
 
 // The SQL query used to change the password.
 // The query can contain the following macros that will be expanded as follows: