diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index c0cf45f..ef87c6b 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -28,18 +28,53 @@
   with_first_found:
     - "/srv/letsencrypt/live/{{ mail_server }}/fullchain.pem"
     - "/srv/ca/certs/{{ inventory_hostname }}.crt"
-  tages: certificates
+  tags: certificates
   notify: restart dovecot
 
 - name: create local config
   template:
-    dest: /etc/dovecot/conf.d/99local.conf
+    dest: /etc/dovecot/conf.d/99-local.conf
     src: local.conf.j2
     mode: 0644
     owner: root
     group: "{{ ansible_wheel }}"
+    validate: doveconf -n %s
   notify: restart dovecot
 
+- name: fix selinux contexts from cache directory
+  sefcontext:
+    path: "/var/spool/dovecot/index/home(/.*)?"
+    setype: user_home_t
+
+- name: create cache directory hierarcy
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: "{{ ansible_wheel }}"
+    setype: _default
+  with_items:
+    - /var/spool/dovecot
+    - /var/spool/dovecot/index
+
+- name: create user cache directory
+  file:
+    path: /var/spool/dovecot/index/home
+    state: directory
+    mode: 1777
+    owner: root
+    group: "{{ ansible_wheel }}"
+    setype: _default
+
+- name: create tmpfs mount for cache
+  mount:
+    state: mounted
+    path: /var/spool/dovecot/index/home
+    src: none
+    fstype: tmpfs
+    opts: context="system_u:object_r:user_home_t:s0"
+
 - name: enable service
   service:
     name: dovecot
diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2
index e9144e5..709e5b3 100644
--- a/roles/dovecot/templates/local.conf.j2
+++ b/roles/dovecot/templates/local.conf.j2
@@ -1,13 +1,16 @@
 # ssl settings
 ssl = required
-ssl_cert = {{ tls_certs }}/{{ mail_server }}.crt
-ssl_key = {{ tls_private }}/{{ mail_server }}.key
+ssl_cert = <{{ tls_certs }}/{{ mail_server }}.crt
+ssl_key = <{{ tls_private }}/{{ mail_server }}.key
 
 # kerberos
 auth_gssapi_hostname = "$ALL"
 auth_krb5_keytab = /etc/dovecot/dovecot.keytab
 auth_mechanisms = gssapi plain login
 
+# enable only imap
+protocols = imap
+
 # use index from tmpfs
 mail_location = mbox:~/imapmail/:INBOX=/var/mail/%u:INDEX=/var/spool/dovecot/index/home/%u
 
@@ -32,15 +35,7 @@ protocol imap {
   imap_idle_notify_interval = 29 mins
 }
 
-# disable plain text imap and pop3
-service pop3-login {
-    inet_listener pop3 {
-        port = 0
-    }
-    inet_listener pop3s {
-        port = 0
-    }
-}   
+# disable plain text imap
 service imap-login {
     inet_listener imap {
         port = 0