diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..e0aff58
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart dovecot
+  service:
+    name: dovecot
+    state: restarted
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..d211bf7
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+
+- name: install packages
+  package:
+    name: dovecot
+    state: installed
+
+- name: install privatekey
+  copy:
+    dest: "{{ tls_private }}/{{ mail_server }}.key"
+    src: "{{ item }}"
+    mode: 0600
+    owner: root
+    grouop: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ mail_server }}/privkey.pem"
+    - "/srv/ca/private/{{ inventory_hostname }}.key"
+  notify: restart dovecot
+
+- name: install certificate
+  copy:
+    dest: "{{ tls_certs }}/{{ mail_server }}.crt"
+    src: "{{ item }}"
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_first_found:
+    - "/srv/letsencrypt/live/{{ mail_server }}/fullchain.pem"
+    - "/srv/ca/certs/{{ inventory_hostname }}.crt"
+  notify: restart dovecot
+
+- name: create local config
+  template:
+    dest: /etc/dovecot/conf.d/99local.conf
+    src: local.conf.j2
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: restart dovecot
+
+- name: enable service
+  service:
+    name: dovecot
+    enabled: true
+    state: started
diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2
new file mode 100644
index 0000000..e9144e5
--- /dev/null
+++ b/roles/dovecot/templates/local.conf.j2
@@ -0,0 +1,48 @@
+# ssl settings
+ssl = required
+ssl_cert = {{ tls_certs }}/{{ mail_server }}.crt
+ssl_key = {{ tls_private }}/{{ mail_server }}.key
+
+# kerberos
+auth_gssapi_hostname = "$ALL"
+auth_krb5_keytab = /etc/dovecot/dovecot.keytab
+auth_mechanisms = gssapi plain login
+
+# use index from tmpfs
+mail_location = mbox:~/imapmail/:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot/index/home/%u
+
+# special icons for mailboxes
+namespace inbox {
+  mailbox spam {
+    special_use = \Junk
+  }
+  mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+  }
+  mailbox Trash {
+    auto = subscribe
+    special_use = \Trash
+  }
+}
+
+# imap specific
+protocol imap {
+  mail_max_userip_connections = 20
+  imap_idle_notify_interval = 29 mins
+}
+
+# disable plain text imap and pop3
+service pop3-login {
+    inet_listener pop3 {
+        port = 0
+    }
+    inet_listener pop3s {
+        port = 0
+    }
+}   
+service imap-login {
+    inet_listener imap {
+        port = 0
+    }
+}