diff --git a/package-postfix_access/defaults/main.yml b/package-postfix_access/defaults/main.yml
new file mode 100644
index 0000000..c4d182e
--- /dev/null
+++ b/package-postfix_access/defaults/main.yml
@@ -0,0 +1,37 @@
+---
+# Default configurations
+# I populate these from external configs; I indicate what they are as inline comments
+
+domain: "{{ blsedomains_admindomain }}" # Base domain name
+postmaster: "root@{{ blsedomains_rootdomain }}" # Postmaster email address
+
+# Roundcube
+smtp_host: "{{ blsecluster_smtphost }}" # The hostname for SMTP access, usually the public name of your mail server
+support_url: "https://www.{{ blsedomains_webdomain }}" # Some website address for Roundcube support
+logo_filename: "bl-logo-roundcube.png" # The Roundcube logo under files/
+roundcube_deskey: "{{ passwd_roundcube_deskey }}" # The Roundcube DES key
+
+# Postfix
+banner_hostname: "{{ ansible_hostname }}.{{ domain }}" # Public hostname of *this* mail host
+myhostname: "{{ banner_hostname }}" # Hostname for Postfix myhostame
+mydomain: "{{ domain }}" # Domain for Postfix mydomain
+mynetworks: "{{ blsecluster_remote1v4 }} {{ blsecluster_remote2v4 }} {{ blsecluster_remote3v4 }} {{ blsecluster_hostsubnetv4 }}" # IP addresses for Postfix mynetworks
+
+# Dovecot
+# Note: SSL listeners aren't provided; HAProxy is expected to do SSL termination for us
+trusted_networks: "{{ blsecluster_hostsubnetv4 }} {{ blsecluster_hostsubnetv6 }}" # Trusted network ranges for Dovecot
+haproxy: yes # Enable HAProxy-specific (Proxy protocol) listeners on ports 10143 and 10110
+
+# LDAP integration (Postfix, Dovecot, Roundcube)
+ldap_host: "{{ blsecluster_ldaphost }}" # The hostname for LDAP access
+ldap_port: 389 # The LDAP port (always non-SSL)
+ldap_basedn: "o=domains,dc=bonilan,dc=net" # The LDAP base DN
+ldap_bind_username: "{{ username_ldap_admin }}" # The LDAP bind user name (usually cn=admin)
+ldap_bind_password: "{{ passwd_ldap_admin }}" # The LDAP bind user password
+
+# MySQL integration (Roundcube)
+mysql_host: "{{ blsecluster_sqlhost }}" # The hostname for MySQL access
+mysql_port: "{{ mysql_client['mail'].port }}" # The port for MySQL access
+mysql_database: "{{ mysql_client['mail'].database }}" # The database name
+mysql_username: "{{ mysql_client['mail'].username }}" # The database user
+mysql_password: "{{ mysql_client['mail'].passwd }}" # The database password
diff --git a/package-postfix_access/files/bl-logo-roundcube.png b/package-postfix_access/files/bl-logo-roundcube.png
new file mode 100644
index 0000000..d47c557
Binary files /dev/null and b/package-postfix_access/files/bl-logo-roundcube.png differ
diff --git a/package-postfix_access/handlers/main.yml b/package-postfix_access/handlers/main.yml
new file mode 100644
index 0000000..fb24197
--- /dev/null
+++ b/package-postfix_access/handlers/main.yml
@@ -0,0 +1,23 @@
+---
+- name: postmap transport
+  command: "postmap /etc/postfix/transport"
+- name: restart amavis
+  service:
+    name: "amavis"
+    state: "restarted"
+- name: restart saslauthd
+  service:
+    name: "saslauthd"
+    state: "restarted"
+- name: restart postfix
+  service:
+    name: "postfix"
+    state: "restarted"
+- name: restart dovecot
+  service:
+    name: "dovecot"
+    state: "restarted"
+- name: restart apache2
+  service:
+    name: "apache2"
+    state: "restarted"
diff --git a/package-postfix_access/tasks/main.yml b/package-postfix_access/tasks/main.yml
new file mode 100644
index 0000000..617ccd8
--- /dev/null
+++ b/package-postfix_access/tasks/main.yml
@@ -0,0 +1,222 @@
+---
+- name: install filtering packages and monitoring components
+  apt:
+    name:
+      - postfix
+      - postfix-ldap
+      - postfix-pcre
+      - dovecot-core
+      - dovecot-imapd
+      - dovecot-pop3d
+      - dovecot-lmtpd
+      - dovecot-sieve
+      - dovecot-managesieved
+      - dovecot-ldap
+      - dovecot-mysql
+      - apache2
+      - libapache2-mod-php
+      - roundcube
+      - roundcube-plugins
+      - php-ldap
+      - php-net-sieve
+      - mailgraph
+      - amavis
+      - spamassassin
+      - clamav-daemon
+      - libnet-dns-perl
+      - libmail-spf-perl
+      - pyzor
+      - razor
+      - pfqueue
+    state: latest
+
+- name: install compression algorithms for scanning
+  apt:
+    name:
+      - p7zip-full
+      - arj
+      - bzip2
+      - cabextract
+      - cpio
+      - file
+      - gzip
+      - lhasa
+      - liblz4-tool
+      - lrzip
+      - lzop
+      - nomarch
+      - pax
+      - rar
+      - rpm
+      - unrar-free
+      - unzip
+      - xz-utils
+      - zip
+    state: latest
+
+# ClamAV
+- name: ensure clamav is in amavis group
+  user:
+    name: "clamav"
+    append: "yes"
+    groups: "amavis"
+
+- name: ensure amavis is in clamav group
+  user:
+    name: "amavis"
+    append: "yes"
+    groups: "clamav"
+
+# Amavis
+- name: install Amavis configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/amavis/conf.d/{{ item }}"
+  notify:
+    - restart amavis
+  with_items:
+    - 15-content_filter_mode
+    - 50-user
+
+# Postfix
+- name: install Postfix main configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/{{ item }}"
+  notify:
+    - restart postfix
+  with_items:
+    - main.cf
+    - master.cf
+    - helo_access.pcre
+    - transport
+
+- name: map transport
+  command: postmap /etc/postfix/transport
+
+- name: create LDAP config dir
+  file:
+    name: "/etc/postfix/ldap"
+    state: "directory"
+
+- name: install Postfix LDAP configs
+  template:
+    src: "postfix-ldap/{{ item }}.j2"
+    dest: "/etc/postfix/ldap/{{ item }}"
+    mode: "640"
+    group: "postfix"
+  notify:
+    - restart postfix
+  with_items:
+    - catchall_maps.cf
+    - recipient_bcc_maps_domain.cf
+    - recipient_bcc_maps_user.cf
+    - relay_domains.cf
+    - sender_bcc_maps_domain.cf
+    - sender_bcc_maps_user.cf
+    - sender_login_maps.cf
+    - transport_maps_domain.cf
+    - transport_maps_user.cf
+    - virtual_alias_maps.cf
+    - virtual_group_maps.cf
+    - virtual_group_members_maps.cf
+    - virtual_mailbox_domains.cf
+    - virtual_mailbox_maps.cf
+
+- name: link /etc/mailname to /etc/hostname
+  file:
+    dest: "/etc/mailname"
+    src: "/etc/hostname"
+    state: "link"
+    force: "yes"
+
+# Dovecot
+- name: install Dovecot main configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/dovecot/{{ item }}"
+  notify:
+    - restart dovecot
+  with_items:
+    - dovecot.conf
+    - dovecot-ldap.conf
+
+- name: add vmail group
+  group:
+    name: "vmail"
+    gid: "2000"
+    state: "present"
+
+- name: add vmail user
+  user:
+    name: "vmail"
+    home: "/srv/vmail"
+    shell: "/bin/false"
+    uid: "2000"
+    group: "vmail"
+    state: "present"
+
+- name: ensure log ownership
+  file:
+    dest: "/var/log/{{ item }}"
+    owner: "vmail"
+    group: "adm"
+    mode: "644"
+    state: "touch"
+  with_items:
+    - dovecot.log
+    - dovecot-lmtp.log
+
+# Roundcube
+- name: Install roundcube PHP configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/roundcube/{{ item }}"
+    mode: "640"
+    group: "www-data"
+  with_items:
+    - debian-db.php
+    - config.inc.php
+
+- name: Remove default apache2 config
+  file:
+    name: "/etc/apache2/sites-enabled/000-default.conf"
+    state: "absent"
+  notify:
+    - restart apache2
+
+- name: Install roundcube ports config
+  template:
+    src: "ports.conf.j2"
+    dest: "/etc/apache2/ports.conf"
+  notify:
+    - restart apache2
+
+- name: Install roundcube apache2 config
+  template:
+    src: "roundcube.conf.j2"
+    dest: "/etc/roundcube/apache.conf"
+  notify:
+    - restart apache2
+
+- name: create logo dir
+  file:
+    dest: "/var/lib/roundcube/images"
+    state: "directory"
+
+- name: install Roundcube logo
+  copy:
+    src: "{{ logo_filename }}"
+    dest: "/var/lib/roundcube/images/{{ logo_filename }}"
+
+# General
+- name: ensure services are running (and enabled at boot)
+  service:
+    name: "{{ item }}"
+    state: "started"
+    enabled: "yes"
+  with_items:
+    - postfix
+    - amavis
+    - clamav-daemon
+    - dovecot
diff --git a/package-postfix_access/templates/15-content_filter_mode.j2 b/package-postfix_access/templates/15-content_filter_mode.j2
new file mode 100644
index 0000000..8ea341f
--- /dev/null
+++ b/package-postfix_access/templates/15-content_filter_mode.j2
@@ -0,0 +1,12 @@
+use strict;
+
+# Amavis filter configuration
+# {{ ansible_managed }}
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return
diff --git a/package-postfix_access/templates/50-user.j2 b/package-postfix_access/templates/50-user.j2
new file mode 100644
index 0000000..3f9136a
--- /dev/null
+++ b/package-postfix_access/templates/50-user.j2
@@ -0,0 +1,12 @@
+use strict;
+
+@local_domains_acl = ( "." );
+$sa_tag_level_deflt = -9999;
+$sa_tag2_level_deflt = 4.5;
+$sa_kill_level_deflt = 4.5;
+$sa_spam_subject_tag = '*** SPAM *** ';
+
+$forward_method = 'smtp:[::1]:10025';
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
diff --git a/package-postfix_access/templates/config.inc.php.j2 b/package-postfix_access/templates/config.inc.php.j2
new file mode 100644
index 0000000..a6bd5af
--- /dev/null
+++ b/package-postfix_access/templates/config.inc.php.j2
@@ -0,0 +1,111 @@
+<?php
+
+/* Local configuration for Roundcube Webmail */
+/* {{ ansible_managed }} */
+
+$config['imap_auth_type'] = 'LOGIN';
+$config['imap_delimiter'] = '/';
+
+// ----------------------------------
+// SMTP
+// ----------------------------------
+$config['smtp_server'] = '{{ smtp_host }}';
+$config['smtp_auth_type'] = 'LOGIN';
+
+$config['support_url'] = '{{ support_url }}';
+
+array(
+    "elastic:login[small]" => "/images/logo_login_small.png",
+    "elastic:login" => "/images/logo_login.png",
+    "elastic:*[small]" => "/images/logo_small.png",
+    "larry:*" => "/images/larry.png",
+    "login" => "/images/logo_login.png",
+    "[print]" => "/images/logo_print.png",
+);
+$config['skin_logo'] = 'images/{{ logo_filename }}';
+
+$config['des_key'] = '{{ roundcube_deskey }}';
+
+// ----------------------------------
+// PLUGINS
+// ----------------------------------
+$config['plugins'] = array('managesieve');
+$config['create_default_folders'] = true;
+$config['quota_zero_as_unlimited'] = true;
+$config['ldap_public'] = array (
+    'global_ldap_abook' =>
+        array (
+            'name' => 'Global LDAP Address Book',
+            'hosts' =>
+                array (
+                    0 => '{{ ldap_host }}',
+                ),
+                'port' => {{ ldap_port }},
+                'use_tls' => false,
+                'ldap_version' => '3',
+                'network_timeout' => 10,
+                'user_specific' => true,
+                'base_dn' => '{{ ldap_basedn }}',
+                'bind_dn' => 'mail=%u@%d,ou=Users,domainName=%d,{{ ldap_basedn }}',
+                'hidden' => false,
+                'searchonly' => false,
+                'writable' => false,
+                'search_fields' =>
+                    array (
+                        0 => 'mail',
+                        1 => 'cn',
+                        2 => 'sn',
+                        3 => 'givenName',
+                        4 => 'street',
+                        5 => 'telephoneNumber',
+                        6 => 'mobile',
+                        7 => 'stree',
+                        8 => 'postalCode',
+                    ),
+                'fieldmap' =>
+                    array (
+                        'name' => 'cn',
+                        'surname' => 'sn',
+                        'firstname' => 'givenName',
+                        'title' => 'title',
+                        'email' => 'mail:*',
+                        'phone:work' => 'telephoneNumber',
+                        'phone:mobile' => 'mobile',
+                        'street' => 'street',
+                        'zipcode' => 'postalCode',
+                        'locality' => 'l',
+                        'department' => 'departmentNumber',
+                        'notes' => 'description',
+                        'phone:workfax' => 'facsimileTelephoneNumber',
+                        'photo' => 'jpegPhoto',
+                    ),
+                'sort' => 'cn',
+                'scope' => 'sub',
+                'filter' => '(&(enabledService=mail)(enabledService=deliver)(enabledService=displayedInGlobalAddressBook)(|(objectClass=mailList)(objectClass=mailAlias)(objectClass=mailUser)))',
+                'fuzzy_search' => true,
+                'vlv' => false,
+                'sizelimit' => '0',
+                'timelimit' => '0',
+                'referrals' => false,
+                'group_filters' =>
+                    array (
+                        'departments' =>
+                            array (
+                                'name' => 'Mailing Lists',
+                                'scope' => 'sub',
+                                'base_dn' => '{{ ldap_basedn }}',
+                                'filter' => '(&(objectclass=mailList)(accountStatus=active)(enabledService=displayedInGlobalAddressBook))',
+                                'name_attr' => 'cn',
+                                'email' => 'mail',
+                            ),
+                    ),
+        ),
+);
+$config['autocomplete_addressbooks'] = array('sql', 'global_ldap_abook');
+$config['skin'] = 'elastic';
+$config['addressbook_sort_col'] = 'name';
+$config['draft_autosave'] = 60;
+$config['check_all_folders'] = true;
+$config['autoexpand_threads'] = 2;
+
+include_once("/etc/roundcube/debian-db-roundcube.php");
diff --git a/package-postfix_access/templates/debian-db.php.j2 b/package-postfix_access/templates/debian-db.php.j2
new file mode 100644
index 0000000..191b384
--- /dev/null
+++ b/package-postfix_access/templates/debian-db.php.j2
@@ -0,0 +1,9 @@
+<?php
+/* {{ ansible_managed }} */
+$dbuser='{{ mysql_username }}';
+$dbpass='{{ mysql_password }}';
+$basepath='';
+$dbname='{{ mysql_database }}';
+$dbserver='{{ mysql_host }}';
+$dbport='{{ mysql_port }}';
+$dbtype='mysql';
diff --git a/package-postfix_access/templates/dovecot-ldap.conf.j2 b/package-postfix_access/templates/dovecot-ldap.conf.j2
new file mode 100644
index 0000000..1885806
--- /dev/null
+++ b/package-postfix_access/templates/dovecot-ldap.conf.j2
@@ -0,0 +1,21 @@
+# Dovecot LDAP interface configuration
+# {{ ansible_managed }}
+
+hosts           = {{ ldap_host }}:{{ ldap_port }}
+ldap_version    = 3
+auth_bind       = yes
+dn              = {{ ldap_bind_username }}
+dnpass          = {{ ldap_bind_password }}
+base            = {{ ldap_basedn }}
+scope           = subtree
+deref           = never
+
+# Below two are required by command 'doveadm mailbox ...'
+iterate_attrs   = mail=user
+iterate_filter  = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail))
+
+user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))
+user_attrs      = mail=user,homeDirectory=home,=mail=maildir:~/Maildir/,mailQuota=quota_rule=*:bytes=%$
+pass_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))
+pass_attrs      = mail=user,userPassword=password
+default_pass_scheme = SSHA
diff --git a/package-postfix_access/templates/dovecot.conf.j2 b/package-postfix_access/templates/dovecot.conf.j2
new file mode 100644
index 0000000..6b8aa63
--- /dev/null
+++ b/package-postfix_access/templates/dovecot.conf.j2
@@ -0,0 +1,177 @@
+# Dovecot main configuration
+# {{ ansible_managed }}
+
+listen = *, [::]
+mail_plugins = quota
+protocols = pop3 imap sieve lmtp
+mail_uid = 2000
+mail_gid = 2000
+first_valid_uid = 2000
+last_valid_uid = 2000
+log_path = /var/log/dovecot.log
+mail_debug = no
+auth_verbose = no
+auth_debug = no
+auth_debug_passwords = no
+auth_verbose_passwords = no
+ssl = no
+mailbox_list_index = yes
+disable_plaintext_auth = no
+mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/:VOLATILEDIR=/tmp/dovecot-volatile/%d/%u
+auth_default_realm = {{ domain }}
+auth_mechanisms = PLAIN LOGIN
+haproxy_trusted_networks = {{ trusted_networks }}
+haproxy_timeout = 5s
+service auth {
+    unix_listener /var/spool/postfix/private/dovecot-auth {
+        user = postfix
+        group = postfix
+        mode = 0666
+    }
+    unix_listener auth-master {
+        user = vmail
+        group = vmail
+        mode = 0666
+    }
+    unix_listener auth-userdb {
+        user = vmail
+        group = vmail
+        mode = 0660
+    }
+}
+service lmtp {
+    user = vmail
+    process_min_avail = 5
+    executable = lmtp -L
+    unix_listener /var/spool/postfix/private/dovecot-lmtp {
+        user = postfix
+        group = postfix
+        mode = 0600
+    }
+    inet_listener lmtp {
+        port = 24
+    }
+}
+service stats {
+    unix_listener stats-reader {
+        user = dovecot
+        group = postfix
+        mode = 0660
+    }
+    unix_listener stats-writer {
+        user = dovecot
+        group = postfix
+        mode = 0660
+    }
+}
+userdb {
+    args = /etc/dovecot/dovecot-ldap.conf
+    driver = ldap
+}
+passdb {
+    args = /etc/dovecot/dovecot-ldap.conf
+    driver = ldap
+}
+plugin {
+    auth_socket_path = /var/run/dovecot/auth-master
+    acl = vfile
+    acl_shared_dict = proxy::acl
+    sieve_dir = /%Lh/sieve
+    sieve = /%Lh/sieve/dovecot.sieve
+    sieve_global_dir = /srv/vmail/sieve
+    sieve_default = /srv/vmail/sieve/dovecot.sieve
+}
+service dict {
+    unix_listener dict {
+        mode = 0660
+        user = vmail
+        group = vmail
+    }
+}
+protocol lda {
+    mail_plugins = $mail_plugins sieve
+    auth_socket_path = /run/dovecot/auth-master
+    log_path = /var/log/dovecot.log
+    lda_mailbox_autocreate = yes
+    postmaster_address = {{ postmaster }}
+}
+protocol lmtp {
+    info_log_path = /var/log/dovecot-lmtp.log
+    mail_plugins = quota sieve
+    postmaster_address = {{ postmaster }}
+    lmtp_save_to_detail_mailbox = yes
+    recipient_delimiter = +
+}
+protocol imap {
+    mail_plugins = $mail_plugins imap_quota
+    imap_client_workarounds = tb-extra-mailbox-sep
+}
+protocol pop3 {
+    mail_plugins = $mail_plugins
+    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
+    pop3_uidl_format = %08Xu%08Xv
+}
+service imap-login {
+    service_count = 1
+    process_limit = 500
+    inet_listener imap {
+        port = 143
+    }
+{% if haproxy %}
+    inet_listener imap-haproxy {
+        port = 10143
+        haproxy = yes
+    }
+{% endif %}
+}
+service pop3-login {
+    service_count = 1
+    process_limit = 500
+    inet_listener pop3 {
+        port = 110
+    }
+{% if haproxy %}
+    inet_listener pop3-haproxy {
+        port = 10110
+        haproxy = yes
+    }
+{% endif %}
+}
+namespace {
+    type = private
+    separator = /
+    prefix =
+    inbox = yes
+    mailbox Sent {
+        auto = subscribe
+        special_use = \Sent
+    }
+    mailbox "Sent Messages" {
+        auto = no
+        special_use = \Sent
+    }
+    mailbox Drafts {
+        auto = subscribe
+        special_use = \Drafts
+    }
+    mailbox Trash {
+        auto = subscribe
+        special_use = \Trash
+    }
+    mailbox Junk {
+        auto = subscribe
+        special_use = \Junk
+    }
+    mailbox Spam {
+        auto = no
+        special_use = \Junk
+    }
+}
+namespace {
+    type = shared
+    separator = /
+    prefix = Shared/%%u/
+    location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u:VOLATILEDIR=/tmp/dovecot-volatile/Shared/%%u
+    subscriptions = yes
+    list = children
+}
diff --git a/package-postfix_access/templates/helo_access.pcre.j2 b/package-postfix_access/templates/helo_access.pcre.j2
new file mode 100644
index 0000000..52dbede
--- /dev/null
+++ b/package-postfix_access/templates/helo_access.pcre.j2
@@ -0,0 +1,143 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+# No one will use these in helo command.
+/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+
+# Reject who use IP address as helo.
+# Correct:      [xxx.xxx.xxx.xxx]
+# Incorrect:    xxx.xxx.xxx.xxx
+/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1})
+
+#
+# This is the real HELO identify of these ISPs:
+#   sohu.com    websmtp.sohu.com relay2nd.mail.sohu.com
+#   126.com     m15-78.126.com
+#   163.com     m31-189.vip.163.com m13-49.163.com
+#   sina.com    mail2-209.sinamail.sina.com.cn
+#   gmail.com   xx-out-NNNN.google.com
+/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
+
+#
+# Spammers.
+#
+/^(728154EA470B4AA\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(taj-co\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(CF8D3DB045C1455\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(dsgsfdg\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(se\.nit7-ngbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mail\.goo\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(n-ong_an\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(meqail\.teamefs-ine5tl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(zzg\.jhf-sp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(din_glo-ng\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(fda-cnc\.ie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(yrtaj-yrco\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(m\.am\.biz\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(xr_haig\.roup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(hjn\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(we_blf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(netvigator\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mysam\.biz)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(mail\.teams-intl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(seningbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nblf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(kdn\.ktguide\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(zzsp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nblongan\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(dpu\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(nbalton\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(cncie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(xinhaigroup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/^(wz\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/(\.zj\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+/(\.kornet)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1})
+
+/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(system\.mail)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(speedtouch\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+
+#
+# Reject adsl spammers.
+#
+/(adsl)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dynamic)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(pool-)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/^(cpe-)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(\.cpe\.)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+/(speedy\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(speedyterra\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static\.sbb\.rs)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+/(static\.vsnl\.net\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+/(advance\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(airtelbroadband\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(bb\.netvision\.net\.il)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(broadband3\.iol\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(cable\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(catv\.broadband\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(chello\.nl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(chello\.sk)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(client\.mchsi\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(comunitel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(coprosys\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dclient\.hispeed\.ch)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dip0\.t-ipconnect\.de)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(domain\.invalid)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(dyn\.centurytel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(embarqhsd\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(emcali\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(epm\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(eutelia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(fastwebnet\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(fibertel\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(freedom2surf\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(hgcbroadband\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(HINET-IP\.hinet\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(infonet\.by)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(is74\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(kievnet\.com\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(metrotel\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(nw\.nuvox\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pldt\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pool\.invitel\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pool\.ukrtel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pools\.arcor-ip\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(pppoe\.avangarddsl\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(retail\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(revip2\.asianet\.co\.th)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tim\.ro)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tsi\.tychy\.pl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(ttnet\.net\.tr)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(tttmaxnet\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(user\.veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(utk\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(virtua\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wanamaroc\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wbt\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(wireless\.iaw\.on\.ca)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(business\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(cotas\.com\.bo)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(marunouchi\.tokyo\.ocn\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(amedex\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
+/(aageneva\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
diff --git a/package-postfix_access/templates/main.cf.j2 b/package-postfix_access/templates/main.cf.j2
new file mode 100644
index 0000000..ca936de
--- /dev/null
+++ b/package-postfix_access/templates/main.cf.j2
@@ -0,0 +1,89 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+smtpd_banner = {{ banner_hostname }} ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 48h
+maximal_queue_lifetime = 14d
+bounce_queue_lifetime = 14d
+readme_directory = no
+compatibility_level = 2
+
+smtp_use_tls=yes
+smtp_tls_cert_file=/etc/ssl/{{ banner_hostname }}.crt
+smtp_tls_key_file=/etc/ssl/{{ banner_hostname }}.key
+smtpd_tls_cert_file=/etc/ssl/letsencrypt/infrastructure.pem
+smtpd_tls_key_file=/etc/ssl/letsencrypt/infrastructure.pem
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+myhostname = {{ myhostname }}
+mydomain = {{ mydomain }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = localhost
+
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ mynetworks }}
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+swap_bangpath = no
+mynetworks_style = host
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_reject_unlisted_recipient = yes
+smtpd_reject_unlisted_sender = yes
+smtp_tls_security_level = may
+smtp_tls_CAfile = $smtpd_tls_CAfile
+smtp_tls_loglevel = 0
+smtp_tls_note_starttls_offer = yes
+proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
+smtp_data_init_timeout = 240s
+smtp_data_xfer_timeout = 600s
+smtpd_helo_required = yes
+smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
+queue_run_delay = 300s
+minimal_backoff_time = 300s
+maximal_backoff_time = 4000s
+enable_original_recipient = no
+disable_vrfy_command = yes
+home_mailbox = Maildir/
+allow_min_user = no
+message_size_limit = 52428800
+virtual_minimum_uid = 2000
+virtual_uid_maps = static:2000
+virtual_gid_maps = static:2000
+virtual_mailbox_base = /srv/vmail
+
+transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf, hash:/etc/postfix/transport
+virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
+virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
+virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
+sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
+recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
+
+smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_local_domain = 
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_tls_auth_only = no
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
+smtpd_tls_security_level = may
+smtpd_tls_loglevel = 0
+tls_random_source = dev:/dev/urandom
+
+command_time_limit = 12h
+ipc_timeout = 12h
+
+mailbox_command = /usr/lib/dovecot/deliver
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/dovecot-auth
+smtp-amavis_destination_recipient_limit = 1
+virtual_alias_domains = 
diff --git a/package-postfix_access/templates/master.cf.j2 b/package-postfix_access/templates/master.cf.j2
new file mode 100644
index 0000000..f83609f
--- /dev/null
+++ b/package-postfix_access/templates/master.cf.j2
@@ -0,0 +1,73 @@
+# Postfix master process configuration file
+# {{ ansible_managed }}
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#         (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+pickup    unix  n       -       y       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+smtp-ipv4 unix  -       -       y       -       -       smtp
+  -o inet_protocols=ipv4
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+
+submission inet n       -       n       -       -       smtpd
+  -o smtpd_enforce_tls=no
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o content_filter=smtp-amavis:[::1]:10024
+
+dovecot unix    -       n       n       -       -      pipe
+    -o soft_bounce=yes
+    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}
+
+smtp-amavis     unix    -       -       y       -       2       smtp
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+
+[::1]:10025 inet    n       -       y       -       -       smtpd
+  -o inet_protocols=ipv6
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o mynetworks=127.0.0.0/8,[::1]/128
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
diff --git a/package-postfix_access/templates/ports.conf.j2 b/package-postfix_access/templates/ports.conf.j2
new file mode 100644
index 0000000..87830fb
--- /dev/null
+++ b/package-postfix_access/templates/ports.conf.j2
@@ -0,0 +1,4 @@
+# Roundcube custom port configuration
+# {{ ansible_managed }}
+
+Listen 81
diff --git a/package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2
new file mode 100644
index 0000000..14d3eca
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/catchall_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(accountStatus=active)(|(mail=@%d)(shadowAddress=@%d)))
+result_attribute= mailForwardingAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2 b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2
new file mode 100644
index 0000000..7157f02
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_domain.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%d)(domainAliasName=%d))(accountStatus=active)(enabledService=mail)(enabledService=recipientbcc))
+result_attribute= domainRecipientBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2 b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2
new file mode 100644
index 0000000..6008c2f
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/recipient_bcc_maps_user.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = ou=Users,domainName=%d,{{ ldap_basedn }}
+scope           = one
+query_filter    = (&(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=recipientbcc))
+result_attribute= userRecipientBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2 b/package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2
new file mode 100644
index 0000000..4d23609
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/relay_domains.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+bind            = yes
+start_tls       = no
+version         = 3
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%s)(&(enabledService=domainalias)(domainAliasName=%s)))(domainBackupMX=yes)(accountStatus=active)(enabledService=mail))
+result_attribute= domainName
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2 b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2
new file mode 100644
index 0000000..d3eace7
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_domain.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%d)(domainAliasName=%d))(accountStatus=active)(enabledService=mail)(enabledService=senderbcc))
+result_attribute= domainSenderBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2 b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2
new file mode 100644
index 0000000..1a9b1cf
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/sender_bcc_maps_user.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = ou=Users,domainName=%d,{{ ldap_basedn }}
+scope           = one
+query_filter    = (&(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=senderbcc))
+result_attribute= userSenderBccAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2
new file mode 100644
index 0000000..d479cdd
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/sender_login_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=smtp)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s))))
+result_attribute= mail
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2 b/package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2
new file mode 100644
index 0000000..a283c70
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/transport_maps_domain.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(accountStatus=active)(enabledService=mail)(|(domainName=%s)(domainAliasName=%s)))
+result_attribute= mtaTransport
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2 b/package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2
new file mode 100644
index 0000000..5147f24
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/transport_maps_user.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = ou=Users,domainName=%d,{{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailUser)(mail=%s)(accountStatus=active)(enabledService=mail))
+result_attribute= mtaTransport
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2
new file mode 100644
index 0000000..1d8867d
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_alias_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(|(mail=%s)(shadowAddress=%s))(accountStatus=active)(enabledService=mail)(enabledService=deliver)(|(objectClass=mailAlias)(&(objectClass=mailUser)(enabledService=forward))))
+result_attribute= mailForwardingAddress
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2
new file mode 100644
index 0000000..009d6fd
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_group_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(accountStatus=active)(enabledService=mail)(enabledService=deliver)(|(&(|(memberOfGroup=%s)(shadowAddress=%s))(objectClass=mailUser))(&(memberOfGroup=%s)(!(shadowAddress=%s))(|(objectClass=mailExternalUser)(objectClass=mailList)(objectClass=mailAlias)))))
+result_attribute= mail
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2
new file mode 100644
index 0000000..da5a6c6
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_group_members_maps.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=deliver)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s))))
+result_attribute= mail
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2
new file mode 100644
index 0000000..b831c35
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_domains.cf.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+bind            = yes
+start_tls       = no
+version         = 3
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = one
+query_filter    = (&(objectClass=mailDomain)(|(domainName=%s)(&(enabledService=domainalias)(domainAliasName=%s)))(!(domainBackupMX=yes))(accountStatus=active)(enabledService=mail))
+result_attribute= domainName
+debuglevel      = 0
diff --git a/package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2 b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2
new file mode 100644
index 0000000..442a2f8
--- /dev/null
+++ b/package-postfix_access/templates/postfix-ldap/virtual_mailbox_maps.cf.j2
@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+server_host     = {{ ldap_host }}
+server_port     = {{ ldap_port }}
+version         = 3
+bind            = yes
+start_tls       = no
+bind_dn         = {{ username_ldap_admin }}
+bind_pw         = {{ passwd_ldap_admin }}
+search_base     = {{ ldap_basedn }}
+scope           = sub
+query_filter    = (&(objectClass=mailUser)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(accountStatus=active)(enabledService=mail)(enabledService=deliver))
+result_attribute= mailMessageStore
+result_format   = %s/Maildir/
+debuglevel      = 0
diff --git a/package-postfix_access/templates/roundcube.conf.j2 b/package-postfix_access/templates/roundcube.conf.j2
new file mode 100644
index 0000000..67439e1
--- /dev/null
+++ b/package-postfix_access/templates/roundcube.conf.j2
@@ -0,0 +1,47 @@
+DocumentRoot /var/lib/roundcube
+Alias /mail /var/lib/roundcube
+
+<Directory /var/lib/roundcube/>
+  Options +FollowSymLinks
+  # This is needed to parse /var/lib/roundcube/.htaccess. See its
+  # content before setting AllowOverride to None.
+  AllowOverride All
+  <IfVersion >= 2.3>
+    Require all granted
+  </IfVersion> 
+  <IfVersion < 2.3>
+    Order allow,deny
+    Allow from all
+  </IfVersion>
+</Directory>
+
+# Protecting basic directories:
+<Directory /var/lib/roundcube/config>
+        Options -FollowSymLinks
+        AllowOverride None
+</Directory>
+
+<Directory /var/lib/roundcube/temp>
+        Options -FollowSymLinks
+        AllowOverride None
+        <IfVersion >= 2.3>
+          Require all denied
+        </IfVersion> 
+        <IfVersion < 2.3>
+          Order allow,deny
+          Deny from all
+        </IfVersion>
+</Directory>
+
+<Directory /var/lib/roundcube/logs>
+        Options -FollowSymLinks
+        AllowOverride None
+        <IfVersion >= 2.3>
+          Require all denied
+        </IfVersion> 
+        <IfVersion < 2.3>
+          Order allow,deny
+          Deny from all
+        </IfVersion>
+</Directory>
+
diff --git a/package-postfix_access/templates/transport.j2 b/package-postfix_access/templates/transport.j2
new file mode 100644
index 0000000..da9f35c
--- /dev/null
+++ b/package-postfix_access/templates/transport.j2
@@ -0,0 +1,3 @@
+# Gmail-specific transfer policy
+# {{ ansible_managed }}
+gmail.com smtp-ipv4:
diff --git a/package-postfix_filter/defaults/main.yml b/package-postfix_filter/defaults/main.yml
new file mode 100644
index 0000000..7e116ab
--- /dev/null
+++ b/package-postfix_filter/defaults/main.yml
@@ -0,0 +1,35 @@
+---
+# Default configurations
+# I populate these from external configs; I indicate what the are as inline comments
+
+# Postfix
+
+# A list of relay domains and their target (square-bracked hostname/IP + port); examples follow
+relay_domains: "{{ blse_relaydomains }}"
+#  - domain: "some.domain.tld"
+#    relay: "[mail.domain.tld]"
+#  - domain: "other.domain.tld"
+#    relay: "[secure.domain.tld]:465"
+
+# A list of RBLs to check for rejecting incoming mail
+remote_block_lists:
+  - bl.spamcop.net
+  - zen.spamhaus.org
+  - cbl.abuseat.org
+
+# Enable TLS (literal yes/no only) and, if yes, the cert and key files
+tls_enabled: yes
+tls_cert: "/etc/ssl/{{ ansible_fqdn }}.crt"
+tls_key: "/etc/ssl/{{ ansible_fqdn }}.key"
+
+# Virtual address maps
+virtual_maps:
+  - regex: "/^postmaster@/"
+    map: "root@{{ blsedomains_admindomain }}"
+
+# SpamAssassin
+notify_admin: "joshua@boniface.me" # Administrative address to notify
+notify_method: "smtp:{{ blsecluster_smtphost }}:25"
+custom_sender_scores:
+  - [qr'^(offers)@'i => 1.0]
+  - [qr'^.*@pizzanova.com'i => 1.0]
diff --git a/package-postfix_filter/files/ham-sample/README b/package-postfix_filter/files/ham-sample/README
new file mode 100644
index 0000000..76b5c47
--- /dev/null
+++ b/package-postfix_filter/files/ham-sample/README
@@ -0,0 +1,2 @@
+Populate me with spam-tagged legit emails.
+Then `tar -cvJf ham-sample.txz ham-sample/` in the parent directory.
diff --git a/package-postfix_filter/files/spam-sample/README b/package-postfix_filter/files/spam-sample/README
new file mode 100644
index 0000000..76b5c47
--- /dev/null
+++ b/package-postfix_filter/files/spam-sample/README
@@ -0,0 +1,2 @@
+Populate me with spam-tagged legit emails.
+Then `tar -cvJf ham-sample.txz ham-sample/` in the parent directory.
diff --git a/package-postfix_filter/handlers/main.yml b/package-postfix_filter/handlers/main.yml
new file mode 100644
index 0000000..e7784cc
--- /dev/null
+++ b/package-postfix_filter/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: postmap transport
+  command: "postmap /etc/postfix/transport"
+- name: restart amavis
+  service:
+    name: "amavis"
+    state: "restarted"
+- name: restart saslauthd
+  service:
+    name: "saslauthd"
+    state: "restarted"
+- name: restart postfix
+  service:
+    name: "postfix"
+    state: "restarted"
+- name: restart spamassassin
+  service:
+    name: "spamassassin"
+    state: "restarted"
diff --git a/package-postfix_filter/tasks/main.yml b/package-postfix_filter/tasks/main.yml
new file mode 100644
index 0000000..ba1f684
--- /dev/null
+++ b/package-postfix_filter/tasks/main.yml
@@ -0,0 +1,220 @@
+---
+#
+# Install role packages
+#
+
+- name: install filtering packages and monitoring components
+  apt:
+    name:
+      - postfix
+      - postfix-pcre
+      - mailgraph
+      - amavis
+      - spamassassin
+      - clamav-daemon
+      - libnet-dns-perl
+      - libmail-spf-perl
+      - postfix-policyd-spf-python
+      - pfqueue
+    state: latest
+
+- name: install compression algorithms for scanning
+  apt:
+    name:
+      - p7zip-full
+      - arj
+      - bzip2
+      - cabextract
+      - cpio
+      - file
+      - gzip
+      - lhasa
+      - liblz4-tool
+      - lrzip
+      - lzop
+      - nomarch
+      - pax
+      - rar
+      - rpm
+      - unrar-free
+      - unzip
+      - xz-utils
+      - zip
+    state: latest
+
+#
+# ClamAV
+#
+
+- name: ensure clamav is in amavis group
+  user:
+    name: "clamav"
+    append: "yes"
+    groups: "amavis"
+
+- name: ensure amavis is in clamav group
+  user:
+    name: "amavis"
+    append: "yes"
+    groups: "clamav"
+
+#
+# policyd SPF
+#
+
+- name: install policyd-spf config
+  template: 
+   src: "{{ item }}.j2"
+   dest: "/etc/postfix-policyd-spf-python/{{ item }}"
+  notify:
+    - restart postfix
+  with_items:
+    - "policyd-spf.conf"
+
+#
+# SpamAssassin
+#
+
+- name: install SpamAssassin config
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/spamassassin/{{ item }}"
+  notify:
+    - restart spamassassin
+    - restart amavis
+  with_items:
+  - "local.cf"
+  - "90_customrules.cf"
+
+#
+# Amavis
+#
+
+- name: install Amavis configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/amavis/conf.d/{{ item }}"
+  notify:
+    - restart amavis
+  with_items:
+  - "15-content_filter_mode"
+  - "50-user"
+
+#
+# Postfix
+#
+
+- name: create the Postfix local config dir
+  file:
+    state: directory
+    dest: "/etc/postfix/local"
+
+- name: install the Postfix main configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/{{ item }}"
+  notify:
+  - restart postfix
+  with_items:
+  - "main.cf"
+  - "master.cf"
+
+- name: install the Postfix local configs
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/postfix/local/{{ item }}"
+  notify:
+  - restart postfix
+  with_items:
+    - helo_access
+    - recipient_access
+    - relay_domains
+    - transport
+    - virtual
+
+- name: link /etc/mailname to /etc/hostname
+  file:
+    dest: "/etc/mailname"
+    src: "/etc/hostname"
+    state: "link"
+    force: "yes"
+
+#
+# Verify and enable services
+#
+
+- name: verify and enable services
+  service:
+    name: "{{ item }}"
+    state: "started"
+    enabled: "yes"
+  with_items:
+  - "postfix"
+  - "amavis"
+  - "clamav-daemon"
+
+#
+# SpamAssassin training
+#
+
+- name: download spam sample archive
+  copy:
+    src: "spam-sample.txz"
+    dest: "/var/cache/spam-sample.txz"
+    owner: "root"
+    group: "root"
+    mode: "400"
+  register: spamsample
+
+- name: make temporary directory
+  command: "mktemp -d"
+  register: tempdirspam
+  when: spamsample.changed
+
+- name: extract spam sample archive to temporary directory
+  unarchive:
+    remote_src: "yes"
+    src: "/var/cache/spam-sample.txz"
+    dest: "{{ tempdirspam.stdout }}/"
+  when: spamsample.changed
+
+- name: sa-learn from the spam sample
+  command: "sa-learn --spam {{ tempdirspam.stdout }}/spam-sample/"
+  when: spamsample.changed
+
+- name: remove temporary directory
+  file:
+    dest: "{{ tempdirspam.stdout }}"
+    state: "absent"
+  when: spamsample.changed
+
+- name: download ham sample archive
+  copy:
+    src: "ham-sample.txz"
+    dest: "/var/cache/ham-sample.txz"
+    owner: "root"
+    group: "root"
+    mode: "400"
+  register: hamsample
+
+- name: make temporary directory
+  command: "mktemp -d"
+  register: tempdirham
+  when: hamsample.changed
+
+- name: extract ham sample archive to temporary directory
+  unarchive:
+    remote_src: "yes"
+    src: "/var/cache/ham-sample.txz"
+    dest: "{{ tempdirham.stdout }}/"
+  when: hamsample.changed
+
+- name: sa-learn from the ham sample
+  command: "sa-learn --ham {{ tempdirham.stdout }}/ham-sample/"
+  when: hamsample.changed
+
+- name: remove temporary directory
+  file:
+    dest: "{{ tempdirham.stdout }}"
+    state: "absent"
+  when: hamsample.changed
diff --git a/package-postfix_filter/templates/15-content_filter_mode.j2 b/package-postfix_filter/templates/15-content_filter_mode.j2
new file mode 100644
index 0000000..8ea341f
--- /dev/null
+++ b/package-postfix_filter/templates/15-content_filter_mode.j2
@@ -0,0 +1,12 @@
+use strict;
+
+# Amavis filter configuration
+# {{ ansible_managed }}
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return
diff --git a/package-postfix_filter/templates/50-user.j2 b/package-postfix_filter/templates/50-user.j2
new file mode 100644
index 0000000..50125ae
--- /dev/null
+++ b/package-postfix_filter/templates/50-user.j2
@@ -0,0 +1,40 @@
+use strict;
+
+@local_domains_acl = ( "." );
+$sa_tag_level_deflt = -9999;
+$sa_tag2_level_deflt = 5;
+$sa_kill_level_deflt = 9999;
+$sa_spam_subject_tag = '*** SPAM *** ';
+$final_spam_destiny = 'D_PASS';
+
+$bad_header_quarantine_method = undef;
+
+$notify_method  = '{{ notify_method }}';
+
+$newvirus_admin = '{{ notify_admin }}';
+$virus_admin = '{{ notify_admin }}';
+$spam_admin  = '{{ notify_admin }}';
+
+$banned_admin     = \@virus_admin_maps;  # for compatibility with pre-2.2.1
+$bad_header_admin = \@virus_admin_maps;  # for compatibility with pre-2.2.1
+@newvirus_admin_maps  = (\$newvirus_admin);
+@virus_admin_maps     = (\%virus_admin, \$virus_admin);
+@spam_admin_maps      = (\%spam_admin,  \$spam_admin);
+@banned_admin_maps    = (\$banned_admin);
+@bad_header_admin_maps= (\$bad_header_admin);
+
+{% if custom_sender_scores is defined %}
+# Custom sender_map scores
+@score_sender_maps = ({
+  '.' => [
+    new_RE(
+{% for score in custom_sender_scores %}
+      {{ score }},
+{% endfor %}
+    ),
+  ],
+});
+{% endif %}
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
diff --git a/package-postfix_filter/templates/90_customrules.cf.j2 b/package-postfix_filter/templates/90_customrules.cf.j2
new file mode 100644
index 0000000..92bacf9
--- /dev/null
+++ b/package-postfix_filter/templates/90_customrules.cf.j2
@@ -0,0 +1,7 @@
+# Adjustments to default SpamAssassin scoring
+# {{ ansible_managed }}
+score RCVD_IN_PSBL 3.5		# Increase default score significantly
+score URIBL_BLACK 3.5		# Increase default score significantly
+score LOTS_OF_MONEY 2		# Increase default score a little
+score ADVANCE_FEE_4_NEW 2	# Increase default score a little
+score RDNS_NONE 0.5		# Decrease default score a little
diff --git a/package-postfix_filter/templates/helo_access.j2 b/package-postfix_filter/templates/helo_access.j2
new file mode 100644
index 0000000..266c7fb
--- /dev/null
+++ b/package-postfix_filter/templates/helo_access.j2
@@ -0,0 +1,2 @@
+/^\[[0-9]{1,3}(\.[0-9]{1,3}){3}\]$/     DUNNO   announced self using an address literal
+/^[0-9]{1,3}(\.[0-9]{1,3}){3}$/         REJECT  announced self with an IP address instead of a domain name
diff --git a/package-postfix_filter/templates/local.cf.j2 b/package-postfix_filter/templates/local.cf.j2
new file mode 100644
index 0000000..73e0a67
--- /dev/null
+++ b/package-postfix_filter/templates/local.cf.j2
@@ -0,0 +1,27 @@
+# SpamAssassin local config
+# {{ ansible_managed }}
+
+report_safe 1
+required_score 4.5
+
+use_bayes 1
+bayes_auto_learn 1
+bayes_auto_learn_threshold_nonspam -0.1
+bayes_auto_learn_threshold_spam 9.0
+
+score BAYES_00 -4
+score BAYES_05 -2
+score BAYES_80 2
+score BAYES_95 6
+score BAYES_99 8
+
+bayes_ignore_header X-Bogosity
+bayes_ignore_header X-Spam-Flag
+bayes_ignore_header X-Spam-Status
+
+bayes_path /var/spamassassin/bayes_db/bayes
+bayes_file_mode 0777
+
+skip_rbl_checks 0
+ok_languages all
+ok_locales all
diff --git a/package-postfix_filter/templates/main.cf.j2 b/package-postfix_filter/templates/main.cf.j2
new file mode 100644
index 0000000..9b71172
--- /dev/null
+++ b/package-postfix_filter/templates/main.cf.j2
@@ -0,0 +1,91 @@
+# Main Postfix configuration
+# {{ ansible_managed }}
+
+myorigin = /etc/mailname
+myhostname = {{ ansible_fqdn }}
+
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+message_size_limit = 26214400
+mailbox_size_limit = 0
+default_process_limit = 1000
+recipient_delimiter = +
+inet_interfaces = all
+
+smtpd_banner = {{ ansible_fqdn }} ESMTP $mail_name (Debian/GNU)
+biff = no
+append_dot_mydomain = no
+delay_warning_time = 48h
+maximal_queue_lifetime = 14d
+bounce_queue_lifetime = 14d
+readme_directory = no
+compatibility_level = 2
+
+smtpd_use_tls={{ tls_enabled }}
+smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
+smtpd_tls_cert_file={{ tls_cert }}
+smtpd_tls_key_file={{ tls_key }}
+smtpd_tls_ask_ccert = yes
+smtpd_tls_received_header = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
+smtpd_tls_security_level = may
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_ciphers = medium
+smtpd_tls_exclude_ciphers = RC4, CAMELLIA, SEED, 3DES
+
+smtp_use_tls={{ tls_enabled }}
+smtp_tls_cert_file={{ tls_cert }}
+smtp_tls_key_file={{ tls_key }}
+smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
+smtp_tls_loglevel = 1
+smtp_tls_security_level = may
+smtp_tls_protocols = $smtpd_tls_protocols
+smtp_tls_ciphers = $smtpd_tls_ciphers
+smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
+
+mydestination =
+local_recipient_maps =
+alias_maps =
+alias_database =
+virtual_alias_maps = pcre:$config_directory/local/virtual
+local_transport = error:local mail delivery is disabled
+transport_maps = pcre:$config_directory/local/transport
+relay_domains = $config_directory/local/relay_domains
+
+content_filter = smtp-amavis:[127.0.0.1]:10024
+smtpd_client_recipient_rate_limit = 250
+strict_rfc821_envelopes = yes
+receive_override_options = no_address_mappings
+policyd-spf_time_limit = 3600
+smtpd_relay_restrictions =
+    permit_mynetworks
+    reject_unauth_destination
+    check_policy_service unix:private/policyd-spf
+{% for rbl in remote_block_lists %}
+    reject_rbl_client {{ rbl }}
+{% endfor %}
+    warn_if_reject reject_unknown_client
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+    check_helo_access pcre:$config_directory/local/helo_access
+    reject_invalid_hostname
+
+smtpd_sender_restrictions =
+    check_sender_mx_access cidr:$config_directory/local/mx_access
+    reject_unknown_sender_domain
+    reject_non_fqdn_sender
+    check_sender_access pcre:$config_directory/local/sender_access
+
+smtpd_recipient_restrictions =
+    reject_unknown_recipient_domain
+    reject_non_fqdn_recipient
+    reject_unauth_pipelining
+    reject_unauth_destination
+    check_policy_service unix:private/policyd-spf
+    check_recipient_access pcre:$config_directory/local/recipient_access
+    reject_unverified_recipient
+
+smtpd_data_restrictions =
+    reject_multi_recipient_bounce
+    reject_unauth_pipelining
diff --git a/package-postfix_filter/templates/master.cf.j2 b/package-postfix_filter/templates/master.cf.j2
new file mode 100644
index 0000000..dea0256
--- /dev/null
+++ b/package-postfix_filter/templates/master.cf.j2
@@ -0,0 +1,62 @@
+# Postfix master process configuration file
+# {{ ansible_managed }}
+
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#         (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+pickup    unix  n       -       y       60      1       pickup
+  -o content_filter=
+  -o receive_override_options=no_header_body_checks
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+
+policyd-spf  unix  -       n       n       -       0       spawn
+    user=policyd-spf argv=/usr/bin/policyd-spf
+
+smtp-amavis     unix    -       -       y       -       2       smtp
+  -o smtp_data_done_timeout=1200
+  -o smtp_send_xforward_command=yes
+  -o disable_dns_lookups=yes
+  -o max_use=20
+
+127.0.0.1:10025 inet    n       -       y       -       -       smtpd
+  -o content_filter=
+  -o local_recipient_maps=
+  -o relay_recipient_maps=
+  -o smtpd_restriction_classes=
+  -o smtpd_delay_reject=no
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o smtpd_helo_restrictions=
+  -o smtpd_sender_restrictions=
+  -o smtpd_recipient_restrictions=permit_mynetworks,reject
+  -o smtpd_data_restrictions=reject_unauth_pipelining
+  -o smtpd_end_of_data_restrictions=
+  -o mynetworks=127.0.0.0/8
+  -o smtpd_error_sleep_time=0
+  -o smtpd_soft_error_limit=1001
+  -o smtpd_hard_error_limit=1000
+  -o smtpd_client_connection_count_limit=0
+  -o smtpd_client_connection_rate_limit=0
+  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
diff --git a/package-postfix_filter/templates/policyd-spf.conf.j2 b/package-postfix_filter/templates/policyd-spf.conf.j2
new file mode 100644
index 0000000..cccd84a
--- /dev/null
+++ b/package-postfix_filter/templates/policyd-spf.conf.j2
@@ -0,0 +1,12 @@
+# policyd SPF config
+# {{ ansible_managed }}
+
+debugLevel = 1 
+
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
diff --git a/package-postfix_filter/templates/recipient_access.j2 b/package-postfix_filter/templates/recipient_access.j2
new file mode 100644
index 0000000..eeee382
--- /dev/null
+++ b/package-postfix_filter/templates/recipient_access.j2
@@ -0,0 +1,4 @@
+/[%!@].*[%!@]/  REJECT          sender-specified routing in recipient address
+/&.*@/          REJECT          invalid user
+/^(daemon|bin|sys|sync|games|man|lp|news|uucp|proxy|www-data|backup|list|irc|gnats|nobody)@/    REJECT  reserved system user
+/^(ntp|sshd|munin|postfix|clamav|sqlgrey|policyd-spf|bind|statd|freerad|mysql|smokeping|systemd-.+|)@/  REJECT  reserved system user
diff --git a/package-postfix_filter/templates/relay_domains.j2 b/package-postfix_filter/templates/relay_domains.j2
new file mode 100644
index 0000000..16dbac2
--- /dev/null
+++ b/package-postfix_filter/templates/relay_domains.j2
@@ -0,0 +1,3 @@
+{% for domain in relay_domains %}
+{{ domain.domain }}
+{% endfor %}
diff --git a/package-postfix_filter/templates/transport.j2 b/package-postfix_filter/templates/transport.j2
new file mode 100644
index 0000000..80a2133
--- /dev/null
+++ b/package-postfix_filter/templates/transport.j2
@@ -0,0 +1,3 @@
+{% for domain in relay_domains %}
+/@{{ domain.domain }}$/ relay:{{ domain.relay }}
+{% endfor %}
diff --git a/package-postfix_filter/templates/virtual.j2 b/package-postfix_filter/templates/virtual.j2
new file mode 100644
index 0000000..d89602a
--- /dev/null
+++ b/package-postfix_filter/templates/virtual.j2
@@ -0,0 +1,3 @@
+{% for map in virtual_maps %}
+{{ map.regex }} {{ map.map }}
+{% endfor %}