diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp
index 892e625..8764574 100644
--- a/postfix/manifests/init.pp
+++ b/postfix/manifests/init.pp
@@ -29,6 +29,11 @@
 #   $postfix_cert:
 #       Path to SSL certificate. Defaults to puppet client certificate.
 #
+#   $postgrey:
+#       Whether to run postgrey or not.
+#
+#   $submission:
+#       Whether to enable submission (and sasl::saslauthd).
 class postfix {
 
     include ssl
@@ -60,6 +65,17 @@ class postfix {
         $postfix_interfaces = "localhost"
     }
 
+    if $postgrey {
+        case $::operatingsystem {
+            "debian","ubuntu": {
+                package {"postgrey": ensure => installed,}
+            }
+            default: {
+                fail("Postgrey module not yet supported in ${::operatingsystem}.")
+            }
+        }
+    }
+
     package { "postfix":
         ensure => installed,
     }
@@ -97,6 +113,20 @@ class postfix {
         require => Package["postfix"],
     }
 
+    if $submission {
+        include sasl::saslauthd
+    }
+
+    file { "/etc/postfix/master.cf":
+        ensure  => present,
+        mode    => "0644",
+        owner   => "root",
+        group   => "root",
+        content => template("postfix/master.cf.erb"),
+        notify  => Service["postfix"],
+        require => Package["postfix"],
+    }
+
     file { "/etc/aliases":
         ensure  => present,
         source  => [
@@ -132,3 +162,4 @@ class postfix {
     }
 
 }
+
diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb
index 4f0c6ac..c0fe546 100644
--- a/postfix/templates/main.cf.erb
+++ b/postfix/templates/main.cf.erb
@@ -565,6 +565,9 @@ smtpd_recipient_restrictions =
 	permit_mynetworks,
 	reject_unauth_destination,
 	check_relay_domains
+<% if has_variable?("postgrey") -%>
+    check_policy_service inet:127.0.0.1:10023
+<% end -%>
 
 # The header_checks parameter specifies an optional table with patterns
 # that each logical message header is matched against, including