diff --git a/group_vars/all b/group_vars/all
index 83afd35..aeb44e3 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -6,13 +6,15 @@ ldap_base: dc=binary-kitchen,dc=de
 ldap_binddn: cn=Services,ou=Roles,dc=binary-kitchen,dc=de
 ldap_bindpw: svcpwd
 
+mail_domain: binary-kitchen.com
+
 nslcd_base_group: ou=Groups,dc=binary-kitchen,dc=de
 nslcd_base_shadow: ou=Users,dc=binary-kitchen,dc=de
 nslcd_base_passwd: ou=Users,dc=binary-kitchen,dc=de
 
 ntp_servers:
 - 172.23.1.61
-- 172.23.2.2 
+- 172.23.2.2
 
 prosody_admin: moepman@jabber.binary-kitchen.de
 prosody_domain: jabber.binary-kitchen.de
diff --git a/roles/mail/files/policyd-spf.conf b/roles/mail/files/policyd-spf.conf
new file mode 100644
index 0000000..d32521b
--- /dev/null
+++ b/roles/mail/files/policyd-spf.conf
@@ -0,0 +1,14 @@
+#  For a fully commented sample config file see policyd-spf.conf.commented
+
+debugLevel = 1 
+defaultSeedOnly = 1
+
+HELO_reject = No_Check
+Mail_From_reject = False
+
+Mail_From_pass_restriction = OK
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 90e3f92..ce2ebad 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -3,25 +3,75 @@
 - name: Install packages
   apt: name={{ item }} state=present
   with_items:
-  - postfix
   - amavisd-new
-  - postgrey
-  - spamassassin
+  - bsd-mailx
   - dovecot-core
   - dovecot-imapd
-  - dovecot-sieve
-  - dovecot-managesieved
   - dovecot-ldap
+  - dovecot-managesieved
+  - dovecot-sieve
+  - postfix
+  - postfix-policyd-spf-python
+  - postgrey
+  - pyzor
+  - razor
+  - spamassassin
+  tags: mail
+
+- name: Create vmail group
+  group: name=vmail gid=500 state=present
+  tags: mail
+
+- name: Create vmail user
+  user: name=vmail uid=500 createhome=yes home=/var/vmail shell=/bin/false state=present
+  tags: mail
+
+- name: Configure amavis
+  template: src={{ item }}.j2 dest=/etc/{{ item }}
+  with_items:
+  - amavis/15-content_filter_mode
+  - amavis/50-user
+  notify: Restart amavis
+  tags: mail
+
+- name: Configure dovecot
+  template: src={{ item }}.j2 dest=/etc/{{ item }}
+  with_items:
+  - dovecot/dovecot-ldap.conf.ext
+  - dovecot/local.conf
+  notify: Restart dovecot
+  tags: mail
+
+- name: Configure policyd
+  copy: src={{ item }} dest=/etc/postfix-policyd-spf-python/{{ item }}
+  with_items:
+  - policyd-spf.conf
   tags: mail
 
 - name: Configure postfix
-  template: src={{ item }} dest=/etc/postfix/{{ item }}
+  template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:
-  - ldap-aliases.cf.j2 
-  - ldap-virtual-maps.cf.j2
+  - postfix/helo_access
+  - postfix/ldap-aliases.cf
+  - postfix/ldap-virtual-maps.cf
+  - postfix/main.cf
+  - postfix/master.cf
+  - postfix/recipient_access
   notify: Restart postfix
   tags: mail
 
+- name: Create razor directory structure
+  command: razor-admin -create chdir=/var/lib/amavis creates=/var/lib/amavis/.razor
+  become: yes
+  become_user: amavis
+  tags: mail
+
+- name: Register razor
+  command: razor-admin -register chdir=/var/lib/amavis creates=/var/lib/amavis/.razor/identity
+  become: yes
+  become_user: amavis
+  tags: mail
+
 - name: Start amavis
   service: name=amavis state=started enabled=yes
   tags: mail
diff --git a/roles/mail/templates/amavis/15-content_filter_mode.j2 b/roles/mail/templates/amavis/15-content_filter_mode.j2
new file mode 100644
index 0000000..1d5ffab
--- /dev/null
+++ b/roles/mail/templates/amavis/15-content_filter_mode.j2
@@ -0,0 +1,27 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+#@bypass_virus_checks_maps = (
+#   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return
diff --git a/roles/mail/templates/amavis/50-user.j2 b/roles/mail/templates/amavis/50-user.j2
new file mode 100644
index 0000000..541d0f1
--- /dev/null
+++ b/roles/mail/templates/amavis/50-user.j2
@@ -0,0 +1,33 @@
+use strict;
+
+#
+# Place your configuration directives here.  They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+$remove_existing_spam_headers = 1;
+
+$sa_tag_level_deflt = undef;
+$sa_tag2_level_deflt = 5.0;
+$sa_kill_level_deflt = $sa_tag2_level_deflt;
+$sa_spam_subject_tag = undef;
+
+$final_virus_destiny      = D_PASS;
+$final_banned_destiny     = D_PASS;
+$final_spam_destiny       = D_PASS;
+$final_bad_header_destiny = D_PASS;
+
+$virus_admin = undef;
+
+$virus_quarantine_to = undef;
+$spam_quarantine_to = undef;
+
+$X_HEADER_LINE = "$myproduct_name at $mydomain";
+
+# todo (mrks): determine local addresses
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
new file mode 100644
index 0000000..8e48ec8
--- /dev/null
+++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2
@@ -0,0 +1,145 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/LDAP
+#
+# NOTE: If you're not using authentication binds, you'll need to give
+# dovecot-auth read access to userPassword field in the LDAP server.
+# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
+# already be something like this:
+
+# access to attribute=userPassword
+#        by dn="<dovecot's dn>" read # add this
+#        by anonymous auth
+#        by self write
+#        by * none
+
+# Space separated list of LDAP hosts to use. host:port is allowed too.
+#hosts = {{ ldap_host }}
+
+# LDAP URIs to use. You can use this instead of hosts list. Note that this
+# setting isn't supported by all LDAP libraries.
+uris = {{ ldap_uri }}
+
+# Distinguished Name - the username used to login to the LDAP server.
+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
+dn = {{ ldap_binddn }}
+
+# Password for LDAP server, if dn is specified.
+dnpass = {{ ldap_bindpw }}
+
+# Use SASL binding instead of the simple binding. Note that this changes
+# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
+# and auth_bind=yes don't work together.
+#sasl_bind = no
+# SASL mechanism name to use.
+#sasl_mech =
+# SASL realm to use.
+#sasl_realm =
+# SASL authorization ID, ie. the dnpass is for this "master user", but the
+# dn is still the logged in user. Normally you want to keep this empty.
+#sasl_authz_id =
+
+# Use TLS to connect to the LDAP server.
+tls = yes
+# TLS options, currently supported only with OpenLDAP:
+#tls_ca_cert_file =
+#tls_ca_cert_dir =
+#tls_cipher_suite =
+# TLS cert/key is used only if LDAP server requires a client certificate.
+#tls_cert_file =
+#tls_key_file =
+# Valid values: never, hard, demand, allow, try
+#tls_require_cert =
+
+# Use the given ldaprc path.
+#ldaprc_path =
+
+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
+# to get enough output.
+#debug_level = 0
+
+# Use authentication binding for verifying password's validity. This works by
+# logging into LDAP server using the username and password given by client.
+# The pass_filter is used to find the DN for the user. Note that the pass_attrs
+# is still used, only the password field is ignored in it. Before doing any
+# search, the binding is switched back to the default DN.
+#auth_bind = no
+
+# If authentication binding is used, you can save one LDAP request per login
+# if users' DN can be specified with a common template. The template can use
+# the standard %variables (see user_filter). Note that you can't
+# use any pass_attrs if you use this setting.
+#
+# If you use this setting, it's a good idea to use a different
+# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
+# the filename is different in userdb's args). That way one connection is used
+# only for LDAP binds and another connection is used for user lookups.
+# Otherwise the binding is changed to the default DN before each user lookup.
+#
+# For example:
+#   auth_bind_userdn = cn=%u,ou=people,o=org
+#
+#auth_bind_userdn =
+
+# LDAP protocol version to use. Likely 2 or 3.
+#ldap_version = 3
+
+# LDAP base. %variables can be used here.
+# For example: dc=mail, dc=example, dc=org
+base = {{ ldap_base }}
+
+# Dereference: never, searching, finding, always
+deref = never
+
+# Search scope: base, onelevel, subtree
+scope = subtree
+
+# User attributes are given in LDAP-name=dovecot-internal-name list. The
+# internal names are:
+#   uid - System UID
+#   gid - System GID
+#   home - Home directory
+#   mail - Mail location
+#
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
+user_attr =
+
+# Filter for user lookup. Some variables can be used (see
+# http://wiki2.dovecot.org/Variables for full list):
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if user there's no domain
+#user_filter = (&(objectClass=posixAccount)(uid=%u))
+user_filter = (&(objectClass=posixAccount)(uid=%u))
+
+# Password checking attributes:
+#  user: Virtual user name (user@domain), if you wish to change the
+#        user-given username to something else
+#  password: Password, may optionally start with {type}, eg. {crypt}
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#pass_attrs = uid=user,userPassword=password
+
+# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
+# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
+# string. For example:
+#pass_attrs = uid=user,userPassword=password,\
+#  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
+
+# Filter for password lookups
+#pass_filter = (&(objectClass=posixAccount)(uid=%u))
+
+# Attributes and filter to get a list of all users
+#iterate_attrs = uid=user
+#iterate_filter = (objectClass=posixAccount)
+
+# Default password scheme. "{scheme}" before password overrides this.
+# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
+#default_pass_scheme = CRYPT
diff --git a/roles/mail/templates/dovecot/local.conf.j2 b/roles/mail/templates/dovecot/local.conf.j2
new file mode 100644
index 0000000..e4a0b36
--- /dev/null
+++ b/roles/mail/templates/dovecot/local.conf.j2
@@ -0,0 +1,102 @@
+auth_mechanisms = plain login
+auth_verbose = yes
+
+auth_debug=yes
+mail_debug = yes
+log_path = /var/log/dovecot/errors.log
+info_log_path = /var/log/dovecot/info.log
+#log_timestamp = "%Y-%m-%d %H:%M:%S "
+
+mail_privileged_group = mail
+
+mail_location = maildir:/var/vmail/%u/.maildir
+mail_home = maildir:/var/vmail/%u
+mail_uid = vmail
+mail_gid = vmail
+
+ssl = yes
+ssl_cert = </etc/ssl/certs/mail.binary-kitchen.com.pem
+ssl_key = </etc/ssl/private/mail.binary-kitchen.com.key
+#ssl_ca = </etc/ssl/binary-kitchen/cacert_ca.crt
+ssl_protocols = !SSLv2 !SSLv3
+ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+#passdb {
+#  driver = ldap
+#  args = /etc/dovecot/dovecot-ldap.conf.ext
+#}
+
+passdb {
+  driver = static
+  args = password=fnord
+}
+
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail home=/var/vmail/%u
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+}
+
+service imap-login {
+  inet_listener imap {
+    address = 127.0.0.1 ::1
+    port = 143
+  }
+  inet_listener imaps {
+    address = 0.0.0.0
+    port = 993
+  }
+}
+
+service managesieve-login {
+  inet_listener sieve {
+    address = 127.0.0.1 ::1
+    port = 2000
+  }
+}
+
+protocol lda {
+  mail_plugins = sieve
+  log_path = /var/log/dovecot/deliver.log
+  info_log_path = /var/log/dovecot/deliver.log
+}
+
+protocol imap {
+  mail_max_userip_connections = 50
+}
+
+plugin {
+  sieve = ~/.dovecot.sieve
+  sieve_before = /var/vmail/default.sieve
+  sieve_global_path = /var/vmail/default.sieve
+}
+
+namespace inbox {
+  type = private
+  inbox = yes
+
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+    auto = subscribe
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }	
+}
+
diff --git a/roles/mail/templates/postfix/helo_access.j2 b/roles/mail/templates/postfix/helo_access.j2
new file mode 100644
index 0000000..dd46b81
--- /dev/null
+++ b/roles/mail/templates/postfix/helo_access.j2
@@ -0,0 +1,2 @@
+{{ ansible_default_ipv4.address }} REJECT You are not me. Go away.
+{{ mail_domain }} REJECT You are not me. Go away.
diff --git a/roles/mail/templates/ldap-aliases.cf.j2 b/roles/mail/templates/postfix/ldap-aliases.cf.j2
similarity index 100%
rename from roles/mail/templates/ldap-aliases.cf.j2
rename to roles/mail/templates/postfix/ldap-aliases.cf.j2
diff --git a/roles/mail/templates/ldap-virtual-maps.cf.j2 b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
similarity index 100%
rename from roles/mail/templates/ldap-virtual-maps.cf.j2
rename to roles/mail/templates/postfix/ldap-virtual-maps.cf.j2
diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2
new file mode 100644
index 0000000..91e24cf
--- /dev/null
+++ b/roles/mail/templates/postfix/main.cf.j2
@@ -0,0 +1,89 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+inet_interfaces = all
+
+message_size_limit = 50000000
+recipient_delimiter = +
+
+mydomain = binary-kitchen.com 
+myhostname = ptest.binary-kitchen.com
+myorigin = binary-kitchen.com
+# fixme
+mydestination = ptest.binary.kitchen, localhost.binary.kitchen, localhost
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+relayhost =
+
+# TLS parameters
+smtp_use_tls = yes
+smtp_tls_loglevel = 2
+
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+
+smtpd_helo_restrictions = permit_mynetwork
+                          warn_if_reject reject_non_fqdn_hostname
+                          check_helo_access hash:/etc/postfix/helo_access
+                          #check_client_access cidr:/etc/postfix/client_access
+
+smtpd_recipient_restrictions = permit_mynetworks
+                               permit_sasl_authenticated
+                               reject_unauth_destination
+                               check_recipient_access hash:/etc/postfix/recipient_access
+
+smtpd_data_restrictions = warn_if_reject reject_unauth_pipelining
+
+smtpd_restriction_classes = rbl, rblgrey
+
+rbl = reject_rbl_client sbl.spamhaus.org
+      reject_rbl_client cbl.abuseat.org
+      
+rblgrey = reject_rbl_client sbl.spamhaus.org
+          reject_rbl_client cbl.abuseat.org
+          check_policy_service unix:private/spfpolicy
+          check_policy_service inet:127.0.0.1:10023
+
+content_filter = amavis:[127.0.0.1]:10024
+receive_override_options = no_address_mappings
+
+virtual_mailbox_domains = binary-kitchen.com
+virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
+virtual_alias_maps = hash:/etc/postfix/virtual_alias
+#virtual_mailbox_maps = ldap:/etc/postfix/ldap-virtual-maps.cf
+#virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap-aliases.cf
+
+virtual_transport = dovecot
+dovecot_destination_recipient_limit = 1
+
diff --git a/roles/mail/templates/postfix/master.cf.j2 b/roles/mail/templates/postfix/master.cf.j2
new file mode 100644
index 0000000..e8c80ee
--- /dev/null
+++ b/roles/mail/templates/postfix/master.cf.j2
@@ -0,0 +1,149 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+submission inet n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       -       -       -       qmqpd
+pickup    unix  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+
+# dovecot
+dovecot unix - n n - - pipe
+   flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user} -m ${extension}
+
+# amavis
+amavis unix - - - - 2 smtp
+    -o smtp_data_done_timeout=1200
+    -o smtp_send_xforward_command=yes
+
+127.0.0.1:10025 inet n - - - - smtpd
+    -o content_filter=
+    -o local_recipient_maps=
+    -o relay_recipient_maps=
+    -o smtpd_restriction_classes=
+    -o smtpd_client_restrictions=
+    -o smtpd_helo_restrictions=
+    -o smtpd_sender_restrictions=
+    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+    -o mynetworks=127.0.0.0/8
+    -o strict_rfc821_envelopes=yes
+    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
+
+# spf
+spfpolicy  unix  -       n       n       -       0       spawn
+  user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
diff --git a/roles/mail/templates/postfix/recipient_access.j2 b/roles/mail/templates/postfix/recipient_access.j2
new file mode 100644
index 0000000..19287cf
--- /dev/null
+++ b/roles/mail/templates/postfix/recipient_access.j2
@@ -0,0 +1 @@
+mrks@binary-kitchen.com rblgrey