diff --git a/host_vars/mx.test.infra.auro.re.yml b/host_vars/mx.test.infra.auro.re.yml
index b9c596e..f46f095 100644
--- a/host_vars/mx.test.infra.auro.re.yml
+++ b/host_vars/mx.test.infra.auro.re.yml
@@ -1,6 +1,11 @@
 ---
-systemd_link__links:
-  ext0: ae:ae:ae:1d:c8:b2
+dovecot__auth_default_realm: test.auro.re
+dovecot__auth_users:
+  jeltz@test.auro.re: "{plain}password"
+  lafeych@test.auro.re: "{plain}password"
+  toto@test.auro.re: "{plain}password"
+  root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
+dovecot__lmtp_postmaster_address: postmaster@test.auro.re
 
 ifupdown2__interfaces:
   ext0:
@@ -9,4 +14,25 @@ ifupdown2__interfaces:
       - 10.211.1.5/16
       - 45.66.111.205/30
     gateways: "{{ ifupdown2__gateways.ext }}"
+
+postfix__hostname: mx.test.auro.re
+
+postfix__sasl_local_domain: test.auro.re
+
+postfix__virtual_aliases:
+  postmaster@test.auro.re: root@test.auro.re
+  dmarc@test.auro.re: root@test.auro.re
+
+postfix__virtual_mailbox_domains:
+ - infra.test.auro.re
+ - test.auro.re
+
+postfix__virtual_mailboxes:
+  jeltz@test.auro.re: jeltz@test.auro.re
+  root@test.auro.re: root@test.auro.re
+  toto@test.auro.re: toto@test.auro.re
+  vincent.lafeychine@test.auro.re: lafeych@test.auro.re
+
+systemd_link__links:
+  ext0: ae:ae:ae:1d:c8:b2
 ...
diff --git a/playbooks/mail.yml b/playbooks/mail.yml
new file mode 100755
index 0000000..67d60f9
--- /dev/null
+++ b/playbooks/mail.yml
@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts:
+    - vm_test
+  roles:
+    - postfix
+    - dovecot
+...
diff --git a/roles/dovecot/defaults/main.yml b/roles/dovecot/defaults/main.yml
new file mode 100644
index 0000000..4031c1c
--- /dev/null
+++ b/roles/dovecot/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+dovecot__auth_users: {}
+...
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..4ead1c8
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Reload dovecot
+  systemd:
+    name: dovecot.service
+    state: reloaded
+...
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..d405a4e
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+- name: Install dovecot
+  apt:
+    name:
+      - dovecot-core
+      - dovecot-imapd
+      - dovecot-lmtpd
+      - dovecot-managesieved
+      - dovecot-sieve
+
+- name: Create group vmail for dovecot
+  group:
+    name: vmail
+
+- name: Create account vmail for dovecot
+  user:
+    group: vmail
+    home: /srv/mail
+    name: vmail
+    password: "!"
+    system: true
+
+- name: Configure dovecot main configuration
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - src: dovecot.conf.j2
+      dest: /etc/dovecot/dovecot.conf
+      group: root
+      mode: u=rw,g=,o=
+    - src: auth.j2
+      dest: /etc/dovecot/auth
+      group: dovecot
+      mode: u=rw,g=r,o=
+  notify:
+    - Reload dovecot
+
+- name: Enable and start dovecot
+  systemd:
+    name: dovecot.service
+    state: started
+    enabled: true
+...
diff --git a/roles/dovecot/templates/auth.j2 b/roles/dovecot/templates/auth.j2
new file mode 100644
index 0000000..cdb2cb0
--- /dev/null
+++ b/roles/dovecot/templates/auth.j2
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+{% for user, passwd in dovecot__auth_users.items() %}
+{{ user }}:{{ passwd }}
+{% endfor %}
diff --git a/roles/dovecot/templates/dovecot.conf.j2 b/roles/dovecot/templates/dovecot.conf.j2
new file mode 100644
index 0000000..1b25c2f
--- /dev/null
+++ b/roles/dovecot/templates/dovecot.conf.j2
@@ -0,0 +1,120 @@
+protocols = imap lmtp sieve
+
+ssl = yes
+ssl_cert = </etc/dovecot/private/dovecot.pem
+ssl_client_ca_dir = /etc/ssl/certs
+ssl_dh = </usr/share/dovecot/dh.pem
+ssl_key = </etc/dovecot/private/dovecot.key
+
+service stats {
+	inet_listener http {
+		port = 9900
+	}
+}
+
+metric auth_success {
+  filter = (event=auth_request_finished AND success=yes)
+}
+
+metric imap_command {
+  filter = event=imap_command_finished
+  group_by = cmd_name tagged_reply_state
+}
+
+metric smtp_command {
+  filter = event=smtp_server_command_finished
+  group_by = cmd_name status_code duration:exponential:1:5:10
+}
+
+metric mail_delivery {
+  filter = event=mail_delivery_finished
+  group_by = duration:exponential:1:5:10
+}
+
+service imap-login {
+	inet_listener imap {
+		port = 0
+	}
+	inet_listener imaps {
+		port = 993
+	}
+}
+
+service lmtp {
+	unix_listener /var/spool/postfix/private/dovecot-lmtp {
+		mode = 0660
+		group = postfix
+		user = postfix
+	}
+	# TODO
+	user = vmail
+}
+
+service auth {
+	unix_listener /var/spool/postfix/private/auth {
+		mode = 0660
+		user = postfix
+		group = postfix
+	}
+	# TODO
+	unix_listener auth-userdb {
+		mode = 0660
+		user = vmail
+		group = vmail
+	}
+}
+
+protocol imap {
+	mail_plugins = imap_sieve
+	mail_max_userip_connections = 20 # TODO
+	imap_idle_notify_interval = 29 mins # TODO
+}
+
+protocol lmtp {
+	postmaster_address = {{ dovecot__lmtp_postmaster_address | enquote }}
+	mail_plugins = sieve notify push_notification # TODO sieve ??
+}
+
+auth_default_realm = {{ dovecot__auth_default_realm | enquote }}
+
+auth_mechanisms = plain
+auth_username_format = %Lu
+disable_plaintext_auth = yes
+
+mail_uid = vmail
+mail_gid = vmail
+mail_privileged_group = vmail
+
+mail_home = /srv/mail/%d/%n
+mail_location = maildir:~/mail:LAYOUT=fs
+
+
+# TODO userdb vs passdb
+passdb {
+	driver = passwd-file
+	args = username_format=%u /etc/dovecot/auth
+}
+
+namespace inbox {
+	inbox = yes
+
+	mailbox Spam {
+		auto = subscribe
+		special_use = \Junk
+	}
+
+	mailbox Trash {
+		auto = subscribe
+		special_use = \Trash
+	}
+
+	mailbox Drafts {
+		auto = subscribe
+		special_use = \Drafts
+	}
+
+	mailbox Sent {
+		auto = subscribe
+		special_use = \Sent
+	}
+}
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
new file mode 100644
index 0000000..85e173e
--- /dev/null
+++ b/roles/postfix/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+postfix__destination_concurrency_limit: 50
+postfix__destination_rate_delay: 3s
+postfix__destination_recipient_limit: 50
+postfix__recipient_delimiter: +
+postfix__virtual_aliases: {}
+postfix__virtual_mailbox_domains: []
+postfix__virtual_mailboxes: {}
+...
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
new file mode 100644
index 0000000..35f70de
--- /dev/null
+++ b/roles/postfix/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Reload postfix
+  systemd:
+    name: postfix.service
+    state: reloaded
+...
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
new file mode 100644
index 0000000..0cf9fb2
--- /dev/null
+++ b/roles/postfix/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install postfix
+  apt:
+    name: postfix
+
+- name: Configure postfix
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  loop:
+    - src: main.cf.j2
+      dest: /etc/postfix/main.cf
+    - src: master.cf.j2
+      dest: /etc/postfix/master.cf
+    - src: virtual.j2
+      dest: /etc/postfix/virtual
+    - src: vmailbox.j2
+      dest: /etc/postfix/vmailbox
+  notify:
+    - Reload postfix
+
+- name: Enable and start postfix
+  systemd:
+    name: postfix.service
+    state: started
+    enabled: true
+...
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
new file mode 100644
index 0000000..47307dc
--- /dev/null
+++ b/roles/postfix/templates/main.cf.j2
@@ -0,0 +1,73 @@
+{{ ansible_managed | comment }}
+
+myhostname = {{ postfix__hostname }}
+smtpd_banner = $myhostname ESMTP
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+#delay_warning_time = 4h
+
+compatibility_level = 3.6
+
+virtual_alias_maps = texthash:/etc/postfix/virtual
+virtual_mailbox_domains = {{ postfix__virtual_mailbox_domains | join(" ") }}
+virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+
+smtpd_sender_login_maps = $virtual_mailbox_maps, $virtual_alias_maps
+
+#smtpd_sasl_type = dovecot
+#smtpd_sasl_path = private/auth
+
+alias_maps =
+
+# TODO peut-être
+#smtpd_helo_required = yes
+#strict_rfc821_envelopes = yes
+
+# TLS parameters
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_security_level = may
+
+# M2M
+smtpd_client_restrictions = permit
+smtpd_helo_restrictions = permit
+smtpd_recipient_restrictions =
+    reject_unverified_recipient,
+    permit
+smtpd_relay_restrictions =
+    reject_unauth_destination,
+    permit
+smtpd_sender_restrictions = permit
+
+# MUA
+mua_client_restrictions =
+    permit_sasl_authenticated,
+    reject
+mua_helo_restrictions = permit
+# TODO match envelope
+mua_recipient_restrictions =
+    reject_authenticated_sender_login_mismatch,
+    permit_sasl_authenticated,
+    reject
+mua_reject_unlisted_sender = yes
+mua_reject_unlisted_recipient = no
+mua_relay_restrictions = permit
+mua_sasl_local_domain = {{ postfix__sasl_local_domain }}
+mua_sender_restrictions = permit
+# TODO mails depuis *@infra.auro.re + localhost
+
+#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+#mailbox_size_limit = 0
+recipient_delimiter = {{ postfix__recipient_delimiter }}
+inet_interfaces = all
+inet_protocols = all
+
+default_destination_rate_delay = {{ postfix__destination_rate_delay }}
+smtp_destination_concurrency_limit = {{ postfix__destination_concurrency_limit }}
+smtp_destination_recipient_limit = {{ postfix__destination_recipient_limit }}
diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
new file mode 100644
index 0000000..faed178
--- /dev/null
+++ b/roles/postfix/templates/master.cf.j2
@@ -0,0 +1,60 @@
+{{ ansible_managed | comment }}
+
+# service    type        private  unpriv  chroot   wakeup  maxproc  command + args
+#            (yes)       (yes)    (no)    (never)  (100)
+
+smtp         inet        n        -       y        -       -        smtpd
+    -o syslog_name=postfix/smtp
+    -o smtpd_sasl_auth_enable=no
+    -o smtpd_tls_security_level=may
+
+submissions  inet        n        -       y        -       -        smtpd
+    -o syslog_name=postfix/submissions
+    -o smtpd_tls_wrappermode=yes
+    -o smtpd_sasl_auth_enable=yes
+    -o smtpd_sasl_type=dovecot
+    -o smtpd_sasl_path=private/auth
+    -o smtpd_sasl_security_options=noanonymous
+    -o smtpd_sasl_local_domain=$mua_sasl_local_domain
+    -o smtpd_reject_unlisted_sender=$mua_reject_unlisted_sender
+    -o smtpd_reject_unlisted_recipient=$mua_reject_unlisted_recipient
+    -o smtpd_client_restrictions=$mua_client_restrictions
+    -o smtpd_helo_restrictions=$mua_helo_restrictions
+    -o smtpd_sender_restrictions=$mua_sender_restrictions
+    -o smtpd_relay_restrictions=$mua_relay_restrictions
+    -o smtpd_recipient_restrictions=$mua_recipient_restrictions
+#     -o milter_macro_daemon_name=ORIGINATING
+
+pickup       unix        n        -       y        60      1        pickup
+cleanup      unix        n        -       y        -       0        cleanup
+qmgr         unix        n        -       n        300     1        qmgr
+tlsmgr       unix        -        -       y        1000?   1        tlsmgr
+rewrite      unix        -        -       y        -       -        trivial-rewrite
+bounce       unix        -        -       y        -       0        bounce
+defer        unix        -        -       y        -       0        bounce
+trace        unix        -        -       y        -       0        bounce
+verify       unix        -        -       y        -       1        verify
+flush        unix        n        -       y        1000?   0        flush
+proxymap     unix        -        -       n        -       -        proxymap
+proxywrite   unix        -        -       n        -       1        proxymap
+smtp         unix        -        -       y        -       -        smtp
+
+# TODO
+# relay        unix        -        -       y        -       -        smtp
+#     -o syslog_name=postfix/$service_name
+#     -o smtp_helo_timeout=5
+#     -o smtp_connect_timeout=5
+
+showq        unix        n        -       y        -       -        showq
+error        unix        -        -       y        -       -        error
+retry        unix        -        -       y        -       -        error
+discard      unix        -        -       y        -       -        discard
+local        unix        -        n       n        -       -        local
+virtual      unix        -        n       n        -       -        virtual
+lmtp         unix        -        -       y        -       -        lmtp
+anvil        unix        -        -       y        -       1        anvil
+scache       unix        -        -       y        -       1        scache
+postlog      unix-dgram  n        -       n        -       1        postlogd
+relay        unix        -        -       n        -       -        smtp
+    -o smtp_fallback_relay=
+#     -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
diff --git a/roles/postfix/templates/virtual.j2 b/roles/postfix/templates/virtual.j2
new file mode 100644
index 0000000..b611d2c
--- /dev/null
+++ b/roles/postfix/templates/virtual.j2
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+{% for src, dest in postfix__virtual_aliases.items() %}
+{{ src }} {{ dest }}
+{% endfor %}
diff --git a/roles/postfix/templates/vmailbox.j2 b/roles/postfix/templates/vmailbox.j2
new file mode 100644
index 0000000..d498783
--- /dev/null
+++ b/roles/postfix/templates/vmailbox.j2
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+{% for src, dest in postfix__virtual_mailboxes.items() %}
+{{ src }} {{ dest }}
+{% endfor %}