diff --git a/host_vars/mx.test.infra.auro.re.yml b/host_vars/mx.test.infra.auro.re.yml
index 0157a5f..f46f095 100644
--- a/host_vars/mx.test.infra.auro.re.yml
+++ b/host_vars/mx.test.infra.auro.re.yml
@@ -1,4 +1,12 @@
 ---
+dovecot__auth_default_realm: test.auro.re
+dovecot__auth_users:
+  jeltz@test.auro.re: "{plain}password"
+  lafeych@test.auro.re: "{plain}password"
+  toto@test.auro.re: "{plain}password"
+  root@test.auro.re: "{plain}L9yXSrCbbafMlMls5q7WWMKC612XNbXL"
+dovecot__lmtp_postmaster_address: postmaster@test.auro.re
+
 ifupdown2__interfaces:
   ext0:
     addresses:
diff --git a/playbooks/mail.yml b/playbooks/mail.yml
index e1c0661..67d60f9 100755
--- a/playbooks/mail.yml
+++ b/playbooks/mail.yml
@@ -4,4 +4,5 @@
     - vm_test
   roles:
     - postfix
+    - dovecot
 ...
diff --git a/roles/dovecot/defaults/main.yml b/roles/dovecot/defaults/main.yml
new file mode 100644
index 0000000..4031c1c
--- /dev/null
+++ b/roles/dovecot/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+dovecot__auth_users: {}
+...
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..4ead1c8
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Reload dovecot
+  systemd:
+    name: dovecot.service
+    state: reloaded
+...
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
new file mode 100644
index 0000000..d405a4e
--- /dev/null
+++ b/roles/dovecot/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+- name: Install dovecot
+  apt:
+    name:
+      - dovecot-core
+      - dovecot-imapd
+      - dovecot-lmtpd
+      - dovecot-managesieved
+      - dovecot-sieve
+
+- name: Create group vmail for dovecot
+  group:
+    name: vmail
+
+- name: Create account vmail for dovecot
+  user:
+    group: vmail
+    home: /srv/mail
+    name: vmail
+    password: "!"
+    system: true
+
+- name: Configure dovecot main configuration
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: "{{ item.group }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - src: dovecot.conf.j2
+      dest: /etc/dovecot/dovecot.conf
+      group: root
+      mode: u=rw,g=,o=
+    - src: auth.j2
+      dest: /etc/dovecot/auth
+      group: dovecot
+      mode: u=rw,g=r,o=
+  notify:
+    - Reload dovecot
+
+- name: Enable and start dovecot
+  systemd:
+    name: dovecot.service
+    state: started
+    enabled: true
+...
diff --git a/roles/dovecot/templates/auth.j2 b/roles/dovecot/templates/auth.j2
new file mode 100644
index 0000000..cdb2cb0
--- /dev/null
+++ b/roles/dovecot/templates/auth.j2
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+{% for user, passwd in dovecot__auth_users.items() %}
+{{ user }}:{{ passwd }}
+{% endfor %}
diff --git a/roles/dovecot/templates/dovecot.conf.j2 b/roles/dovecot/templates/dovecot.conf.j2
new file mode 100644
index 0000000..1b25c2f
--- /dev/null
+++ b/roles/dovecot/templates/dovecot.conf.j2
@@ -0,0 +1,120 @@
+protocols = imap lmtp sieve
+
+ssl = yes
+ssl_cert = </etc/dovecot/private/dovecot.pem
+ssl_client_ca_dir = /etc/ssl/certs
+ssl_dh = </usr/share/dovecot/dh.pem
+ssl_key = </etc/dovecot/private/dovecot.key
+
+service stats {
+	inet_listener http {
+		port = 9900
+	}
+}
+
+metric auth_success {
+  filter = (event=auth_request_finished AND success=yes)
+}
+
+metric imap_command {
+  filter = event=imap_command_finished
+  group_by = cmd_name tagged_reply_state
+}
+
+metric smtp_command {
+  filter = event=smtp_server_command_finished
+  group_by = cmd_name status_code duration:exponential:1:5:10
+}
+
+metric mail_delivery {
+  filter = event=mail_delivery_finished
+  group_by = duration:exponential:1:5:10
+}
+
+service imap-login {
+	inet_listener imap {
+		port = 0
+	}
+	inet_listener imaps {
+		port = 993
+	}
+}
+
+service lmtp {
+	unix_listener /var/spool/postfix/private/dovecot-lmtp {
+		mode = 0660
+		group = postfix
+		user = postfix
+	}
+	# TODO
+	user = vmail
+}
+
+service auth {
+	unix_listener /var/spool/postfix/private/auth {
+		mode = 0660
+		user = postfix
+		group = postfix
+	}
+	# TODO
+	unix_listener auth-userdb {
+		mode = 0660
+		user = vmail
+		group = vmail
+	}
+}
+
+protocol imap {
+	mail_plugins = imap_sieve
+	mail_max_userip_connections = 20 # TODO
+	imap_idle_notify_interval = 29 mins # TODO
+}
+
+protocol lmtp {
+	postmaster_address = {{ dovecot__lmtp_postmaster_address | enquote }}
+	mail_plugins = sieve notify push_notification # TODO sieve ??
+}
+
+auth_default_realm = {{ dovecot__auth_default_realm | enquote }}
+
+auth_mechanisms = plain
+auth_username_format = %Lu
+disable_plaintext_auth = yes
+
+mail_uid = vmail
+mail_gid = vmail
+mail_privileged_group = vmail
+
+mail_home = /srv/mail/%d/%n
+mail_location = maildir:~/mail:LAYOUT=fs
+
+
+# TODO userdb vs passdb
+passdb {
+	driver = passwd-file
+	args = username_format=%u /etc/dovecot/auth
+}
+
+namespace inbox {
+	inbox = yes
+
+	mailbox Spam {
+		auto = subscribe
+		special_use = \Junk
+	}
+
+	mailbox Trash {
+		auto = subscribe
+		special_use = \Trash
+	}
+
+	mailbox Drafts {
+		auto = subscribe
+		special_use = \Drafts
+	}
+
+	mailbox Sent {
+		auto = subscribe
+		special_use = \Sent
+	}
+}