diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..ddb03ec
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,30 @@
+---
+kind: pipeline
+name: default
+
+steps:
+  - name: build image only
+    image: plugins/docker
+    settings:
+      repo: eumau/dovecot
+      auto_tag: true
+      dry_run: true
+    when:
+      ref:
+        - refs/pull/**
+      # event no anda (?)
+      # event:
+      #   - pull_request
+
+  - name: build and publish image
+    image: plugins/docker
+    settings:
+      repo: eumau/dovecot
+      auto_tag: true
+      username:
+        from_secret: dockerhub_username
+      password:
+        from_secret: dockerhub_password
+    when:
+      branch:
+        - master
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..adac7f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*~
+\#*
+.#*
diff --git a/10-mail.conf b/10-mail.conf
new file mode 100644
index 0000000..4fe8a52
--- /dev/null
+++ b/10-mail.conf
@@ -0,0 +1,305 @@
+##
+## Mailbox locations and namespaces
+##
+mail_location = mdbox:~/dbox
+mail_attribute_dict = file:~/dovecot-attributes
+
+namespace inbox {
+  # Namespace type: private, shared or public
+  #type = private
+  separator = /
+  #prefix =
+  #location =
+
+  # There can be only one INBOX, and this setting defines which namespace
+  # has it.
+  inbox = yes
+
+  #hidden = no
+  #list = yes
+  #subscriptions = yes
+
+  # See 15-mailboxes.conf for definitions of special mailboxes.
+}
+
+# System user and group used to access mails. If you use multiple, userdb
+# can override these by returning uid or gid fields. You can use either numbers
+# or names. <doc/wiki/UserIds.txt>
+mail_uid = vmail
+mail_gid = vmail
+
+# Group to enable temporarily for privileged operations. Currently this is
+# used only with INBOX when either its initial creation or dotlocking fails.
+# Typically this is set to "mail" to give access to /var/mail.
+#mail_privileged_group =
+
+# Grant access to these supplementary groups for mail processes. Typically
+# these are used to set up access to shared mailboxes. Note that it may be
+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+#mail_access_groups =
+
+# Allow full filesystem access to clients. There's no access checks other than
+# what the operating system does for the active UID/GID. It works with both
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
+# or ~user/.
+#mail_full_filesystem_access = no
+
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
+#mail_attribute_dict =
+
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment".
+#mail_server_comment = ""
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+#mail_server_admin =
+
+##
+## Mail processes
+##
+
+# Don't use mmap() at all. This is required if you store indexes to shared
+# filesystems (NFS or clustered filesystem).
+#mmap_disable = no
+
+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
+# since version 3, so this should be safe to use nowadays by default.
+#dotlock_use_excl = yes
+
+# When to use fsync() or fdatasync() calls:
+#   optimized (default): Whenever necessary to avoid losing important data
+#   always: Useful with e.g. NFS when write()s are delayed
+#   never: Never use it (best performance, but crashes can lose data)
+#mail_fsync = optimized
+
+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
+# Dotlocking uses some tricks which may create more disk I/O than other locking
+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
+#lock_method = fcntl
+
+# Directory in which LDA/LMTP temporarily stores incoming mails >128 kB.
+#mail_temp_dir = /tmp
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+#first_valid_uid = 500
+#last_valid_uid = 0
+
+# Valid GID range for users, defaults to non-root/wheel. Users having
+# non-valid GID as primary group ID aren't allowed to log in. If user
+# belongs to supplementary groups with non-valid GIDs, those groups are
+# not set.
+#first_valid_gid = 1
+#last_valid_gid = 0
+
+# Maximum allowed length for mail keyword name. It's only forced when trying
+# to create new keywords.
+#mail_max_keyword_length = 50
+
+# ':' separated list of directories under which chrooting is allowed for mail
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
+# settings. If this setting is empty, "/./" in home dirs are ignored.
+# WARNING: Never add directories here which local users can modify, that
+# may lead to root exploit. Usually this should be done only if you don't
+# allow shell access for users. <doc/wiki/Chrooting.txt>
+#valid_chroot_dirs =
+
+# Default chroot directory for mail processes. This can be overridden for
+# specific users in user database by giving /./ in user's home directory
+# (eg. /home/./user chroots into /home). Note that usually there is no real
+# need to do chrooting, Dovecot doesn't allow users to access files outside
+# their mail directory anyway. If your home directories are prefixed with
+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
+#mail_chroot =
+
+# UNIX socket path to master authentication server to find users.
+# This is used by imap (for shared users) and lda.
+#auth_socket_path = /var/run/dovecot/auth-userdb
+
+# Directory where to look up mail plugins.
+#mail_plugin_dir = /usr/lib/dovecot/modules
+
+# Space separated list of plugins to load for all services. Plugins specific to
+# IMAP, LDA, etc. are added to this list in their own .conf files.
+# mail_plugins = $mail_plugins
+
+##
+## Mailbox handling optimizations
+##
+
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+mailbox_list_index = yes
+
+# The minimum number of mails in a mailbox before updates are done to cache
+# file. This allows optimizing Dovecot's behavior to do less disk writes at
+# the cost of more disk reads.
+#mail_cache_min_mail_count = 0
+
+# When IDLE command is running, mailbox is checked once in a while to see if
+# there are any new mails or other changes. This setting defines the minimum
+# time to wait between those checks. Dovecot can also use inotify and
+# kqueue to find out immediately when changes occur.
+#mailbox_idle_check_interval = 30 secs
+
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
+# But it also creates a bit more disk I/O which may just make it slower.
+# Also note that if other software reads the mboxes/maildirs, they may handle
+# the extra CRs wrong and cause problems.
+#mail_save_crlf = no
+
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
+##
+## Maildir-specific settings
+##
+
+# By default LIST command returns all entries in maildir beginning with a dot.
+# Enabling this option makes Dovecot return only entries which are directories.
+# This is done by stat()ing each entry, so it causes more disk I/O.
+# (For systems setting struct dirent->d_type, this check is free and it's
+# done always regardless of this setting)
+#maildir_stat_dirs = no
+
+# When copying a message, do it with hard links whenever possible. This makes
+# the performance much better, and it's unlikely to have any side effects.
+#maildir_copy_with_hardlinks = yes
+
+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
+#maildir_very_dirty_syncs = no
+
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
+##
+## mbox-specific settings
+##
+
+# Which locking methods to use for locking mbox. There are four available:
+#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
+#           solution. If you want to use /var/mail/ like directory, the users
+#           will need write access to that directory.
+#  dotlock_try: Same as dotlock, but if it fails because of permissions or
+#               because there isn't enough disk space, just skip it.
+#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
+#  flock  : May not exist in all systems. Doesn't work with NFS.
+#  lockf  : May not exist in all systems. Doesn't work with NFS.
+#
+# You can use multiple locking methods; if you do the order they're declared
+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
+# locking methods as well. Some operating systems don't allow using some of
+# them simultaneously.
+#
+# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
+# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
+#       Dovecot: mbox_write_locks = dotlock fcntl
+#       Debian:  mbox_write_locks = fcntl dotlock
+#
+#mbox_read_locks = fcntl
+#mbox_write_locks = fcntl dotlock
+
+# Maximum time to wait for lock (all of them) before aborting.
+#mbox_lock_timeout = 5 mins
+
+# If dotlock exists but the mailbox isn't modified in any way, override the
+# lock file after this much time.
+#mbox_dotlock_change_timeout = 2 mins
+
+# When mbox changes unexpectedly we have to fully read it to find out what
+# changed. If the mbox is large this can take a long time. Since the change
+# is usually just a newly appended mail, it'd be faster to simply read the
+# new mails. If this setting is enabled, Dovecot does this but still safely
+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
+# how it's expected to be. The only real downside to this setting is that if
+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
+# commands.
+#mbox_dirty_syncs = yes
+
+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
+#mbox_very_dirty_syncs = no
+
+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
+# commands and when closing the mailbox). This is especially useful for POP3
+# where clients often delete all mails. The downside is that our changes
+# aren't immediately visible to other MUAs.
+#mbox_lazy_writes = yes
+
+# If mbox size is smaller than this (e.g. 100k), don't write index files.
+# If an index file already exists it's still read, just not updated.
+#mbox_min_index_size = 0
+
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
+##
+## mdbox-specific settings
+##
+
+# Maximum dbox file size until it's rotated.
+#mdbox_rotate_size = 2M
+
+# Maximum dbox file age until it's rotated. Typically in days. Day begins
+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
+#mdbox_rotate_interval = 0
+
+# When creating new mdbox files, immediately preallocate their size to
+# mdbox_rotate_size. This setting currently works only in Linux with some
+# filesystems (ext4, xfs).
+#mdbox_preallocate_space = no
+
+##
+## Mail attachments
+##
+
+# sdbox and mdbox support saving mail attachments to external files, which
+# also allows single instance storage for them. Other backends don't support
+# this for now.
+
+# Directory root where to store mail attachments. Disabled, if empty.
+mail_attachment_dir = /vmail/attachments
+
+# Attachments smaller than this aren't saved externally. It's also possible to
+# write a plugin to disable saving specific attachments externally.
+mail_attachment_min_size = 64k
+
+# Filesystem backend to use for saving attachments:
+#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
+#  sis posix : SiS with immediate byte-by-byte comparison during saving
+#  sis-queue posix : SiS with delayed comparison and deduplication
+mail_attachment_fs = sis-queue /vmail/attachments-queue:posix
+
+# Hash format to use in attachment filenames. You can add any text and
+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
+mail_attachment_hash = %{sha1}
diff --git a/10-master.conf b/10-master.conf
new file mode 100644
index 0000000..d7dfb7c
--- /dev/null
+++ b/10-master.conf
@@ -0,0 +1,118 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+#default_vsz_limit = 256M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+  inet_listener imap {
+    #port = 143
+  }
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  service_count = 0
+
+  # Number of processes to always keep waiting for more connections.
+  process_min_avail = 1
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    #port = 110
+  }
+  inet_listener pop3s {
+    #port = 995
+    #ssl = yes
+  }
+}
+
+service lmtp {
+  unix_listener lmtp {
+    #mode = 0666
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  inet_listener lmtp {
+    # Avoid making LMTP visible for the entire internet
+    #address =
+    port = 24
+  }
+}
+
+service imap {
+  # Most of the memory goes to mmap()ing files. You may need to increase this
+  # limit if you have huge mailboxes.
+  #vsz_limit = $default_vsz_limit
+
+  # Max. number of IMAP processes (connections)
+  #process_limit = 1024
+}
+
+service pop3 {
+  # Max. number of POP3 processes (connections)
+  #process_limit = 1024
+}
+
+service auth {
+  # auth_socket_path points to this userdb socket by default. It's typically
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+  # full permissions to this socket are able to get a list of all usernames and
+  # get the results of everyone's userdb lookups.
+  #
+  # The default 0666 mode allows anyone to connect to the socket, but the
+  # userdb lookups will succeed only if the userdb returns an "uid" field that
+  # matches the caller process's UID. Also if caller's uid or gid matches the
+  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+  #
+  # To give the caller full permissions to lookup all users, set the mode to
+  # something else than 0666 and Dovecot lets the kernel enforce the
+  # permissions (e.g. 0777 allows everyone full permissions).
+  unix_listener auth-userdb {
+    #mode = 0666
+    #user =
+    #group =
+  }
+
+  inet_listener {
+    port = 12345
+  }
+
+  # Auth process is run as this user.
+  #user = $default_internal_user
+}
+
+service auth-worker {
+  # Auth worker process is run as root by default, so that it can access
+  # /etc/shadow. If this isn't necessary, the user should be changed to
+  # $default_internal_user.
+  #user = root
+}
+
+service dict {
+  # If dict proxy is used, mail processes should have access to its socket.
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+  unix_listener dict {
+    #mode = 0600
+    #user =
+    #group =
+  }
+}
diff --git a/10-ssl.conf b/10-ssl.conf
new file mode 100644
index 0000000..39c821d
--- /dev/null
+++ b/10-ssl.conf
@@ -0,0 +1,62 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </ssl/cert.pem
+ssl_key = </ssl/key.pem
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+#ssl_ca =
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
+# directory is usually /etc/ssl/certs in Debian-based systems and the file is
+# /etc/pki/tls/cert.pem in RedHat-based systems.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# DH parameters length to use.
+#ssl_dh_parameters_length = 1024
+
+# SSL protocols to use
+#ssl_protocols = !SSLv3
+
+# SSL ciphers to use
+#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   no_compression - Disable compression.
+#ssl_options =
diff --git a/15-mailboxes.conf b/15-mailboxes.conf
new file mode 100644
index 0000000..1a5ac41
--- /dev/null
+++ b/15-mailboxes.conf
@@ -0,0 +1,81 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+#   Indicates whether the mailbox with this name is automatically created
+#   implicitly when it is first accessed. The user can also be automatically
+#   subscribed to the mailbox after creation. The following values are
+#   defined for this setting:
+#
+#     no        - Never created automatically.
+#     create    - Automatically created, but no automatic subscription.
+#     subscribe - Automatically created and subscribed.
+#
+# special_use:
+#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+#   mailbox. There are no validity checks, so you could specify anything
+#   you want in here, but it's not a good idea to use flags other than the
+#   standard ones specified in the RFC:
+#
+#     \All      - This (virtual) mailbox presents all messages in the
+#                 user's message store.
+#     \Archive  - This mailbox is used to archive messages.
+#     \Drafts   - This mailbox is used to hold draft messages.
+#     \Flagged  - This (virtual) mailbox presents all messages in the
+#                 user's message store marked with the IMAP \Flagged flag.
+#     \Junk     - This mailbox is where messages deemed to be junk mail
+#                 are held.
+#     \Sent     - This mailbox is used to hold copies of messages that
+#                 have been sent.
+#     \Trash    - This mailbox is used to hold messages that have been
+#                 deleted.
+#
+# comment:
+#   Defines a default comment or note associated with the mailbox. This
+#   value is accessible through the IMAP METADATA mailbox entries
+#   "/shared/comment" and "/private/comment". Users with sufficient
+#   privileges can override the default value for entries with a custom
+#   value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    special_use = \Drafts
+    auto = subscribe
+  }
+  mailbox Junk {
+    special_use = \Junk
+    auto = subscribe
+  }
+  mailbox Trash {
+    special_use = \Trash
+    auto = subscribe
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  mailbox virtual/All {
+    special_use = \All
+    comment = All messages
+  }
+
+  # If you have a virtual "Flagged" mailbox:
+  mailbox virtual/Flagged {
+    special_use = \Flagged
+    comment = Flagged messages
+  }
+}
diff --git a/20-imap.conf b/20-imap.conf
new file mode 100644
index 0000000..a6282bc
--- /dev/null
+++ b/20-imap.conf
@@ -0,0 +1,75 @@
+##
+## IMAP specific settings
+##
+
+# If nothing happens for this long while client is IDLEing, move the connection
+# to imap-hibernate process and close the old imap process. This saves memory,
+# because connections use very little memory in imap-hibernate process. The
+# downside is that recreating the imap process back uses some resources.
+#imap_hibernate_timeout = 0
+
+# Maximum IMAP command line length. Some clients generate very long command
+# lines with huge mailboxes, so you may need to raise this if you get
+# "Too long argument" or "IMAP command line too large" errors often.
+#imap_max_line_length = 64k
+
+# IMAP logout format string:
+#  %i - total number of bytes read from client
+#  %o - total number of bytes sent to client
+#  %{fetch_hdr_count} - Number of mails with mail header data sent to client
+#  %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
+#  %{fetch_body_count} - Number of mails with mail body data sent to client
+#  %{fetch_body_bytes} - Number of bytes with mail body data sent to client
+#  %{deleted} - Number of mails where client added \Deleted flag
+#  %{expunged} - Number of mails that client expunged
+#  %{trashed} - Number of mails that client copied/moved to the
+#               special_use=\Trash mailbox.
+#imap_logout_format = in=%i out=%o
+
+# Override the IMAP CAPABILITY response. If the value begins with '+',
+# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
+imap_capability = +SPECIAL_USE
+
+# How long to wait between "OK Still here" notifications when client is
+# IDLEing.
+#imap_idle_notify_interval = 2 mins
+
+# ID field names and values to send to clients. Using * as the value makes
+# Dovecot use the default value. The following fields have default values
+# currently: name, version, os, os-version, support-url, support-email.
+#imap_id_send =
+
+# ID fields sent by client to log. * means everything.
+#imap_id_log =
+
+# Workarounds for various client bugs:
+#   delay-newmail:
+#     Send EXISTS/RECENT new mail notifications only when replying to NOOP
+#     and CHECK commands. Some clients ignore them otherwise, for example OSX
+#     Mail (<v2.1). Outlook Express breaks more badly though, without this it
+#     may show user "Message no longer in server" errors. Note that OE6 still
+#     breaks even with this workaround if synchronization is set to
+#     "Headers Only".
+#   tb-extra-mailbox-sep:
+#     Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
+#     adds extra '/' suffixes to mailbox names. This option causes Dovecot to
+#     ignore the extra '/' instead of treating it as invalid mailbox name.
+#   tb-lsub-flags:
+#     Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
+#     This makes Thunderbird realize they aren't selectable and show them
+#     greyed out, instead of only later giving "not selectable" popup error.
+#
+# The list is space-separated.
+#imap_client_workarounds =
+
+# Host allowed in URLAUTH URLs sent by client. "*" allows all.
+#imap_urlauth_host =
+
+protocol imap {
+  # Space separated list of plugins to load (default is global mail_plugins).
+  mail_plugins = $mail_plugins antispam
+
+  # Maximum number of IMAP connections allowed for a user from each IP address.
+  # NOTE: The username is compared case-sensitively.
+  #mail_max_userip_connections = 10
+}
diff --git a/90-antispam.conf b/90-antispam.conf
new file mode 100644
index 0000000..024cded
--- /dev/null
+++ b/90-antispam.conf
@@ -0,0 +1,184 @@
+plugin {
+
+##################
+# GENERIC OPTIONS
+
+# Debugging options
+# Uncomment to get the desired debugging behaviour.
+# Note that in some cases stderr debugging will not be as
+# verbose as syslog debugging due to internal limitations.
+#
+# antispam_debug_target = syslog
+# antispam_debug_target = stderr
+# antispam_verbose_debug = 1
+antispam_debug_target = stderr
+# FIXME disable debug
+antispam_verbose_debug = 1
+
+# backend selection, MUST be configured first,
+# there's no default so you need to set one of
+# these options:
+# antispam_backend = crm114
+# antispam_backend = dspam
+# antispam_backend = pipe
+# antispam_backend = spool2dir
+antispam_backend = pipe
+
+# mail signature (used with any backend requiring a signature)
+antispam_signature = X-Bogosity
+
+# action to take on mails without signature
+# (used with any backend requiring a signature)
+# (we recommend only setting this to 'move' after verifying that the
+# whole setup is working)
+# antispam_signature_missing = move # move silently without training
+antispam_signature_missing = error
+
+# The list of folders for trash, spam and unsure can be given
+# with three options, e.g. "trash" matches the given folders
+# exactly as written, "trash_pattern" accept the * wildcard at
+# the end of the foldername, "trash_pattern_ignorecase"
+# accepts the * wildcard at the end of the foldername _and_
+# matches the name case insensitivly.
+
+# the *-wildcard with the following meaning:
+#    * at the end: any folder that _start_ with the string
+# e.g.:
+#     antispam_trash_pattern = deleted *;Gel&APY-schte *
+# match any folders that start with "deleted " or "Gelöschte "
+# match is _case_senstive_!
+#
+#     antispam_trash_pattern_ignorecase = deleted *;Gel&APY-schte *
+# match any folders that start with "deleted " or "gelöschte "
+# match is _case_insenstive_, except the non-USASCII letters,
+# "ö" in this example.
+# To match the upper-case Ö, too, you need to add yet another
+# pattern "gel&ANY-schte *", note the different UTF7 encoding:
+# &ANY- instead of &APY-.
+
+# semicolon-separated list of Trash folders (default unset i.e. none)
+# antispam_trash =
+# antispam_trash = trash;Trash;Deleted Items; Deleted Messages
+# antispam_trash_pattern = trash;Trash;Deleted *
+# antispam_trash_pattern_ignorecase =trash;deleted *
+antispam_trash = Trash;trash;mail/trash;Deleted Messages
+
+# semicolon-separated list of spam folders
+# antispam_spam = SPAM
+# antispam_spam_pattern = SPAM
+# antispam_spam_pattern_ignorecase = junk*;spam*
+antispam_spam = Junk;junk;Junk Mail;Spam;spam;SPAM
+
+# semicolon-separated list of unsure folders (default unset i.e. none)
+# antispam_unsure =
+# antispam_unsure_pattern =
+# antispam_unsure_pattern_ignorecase =
+
+# Whether to allow APPENDing to SPAM folders or not. Must be set to
+# "yes" (case insensitive) to be activated. Before activating, please
+# read the discussion below.
+# antispam_allow_append_to_spam = no
+
+###########################
+# BACKEND SPECIFIC OPTIONS
+#
+
+#===================
+# dspam plugin
+
+# dspam binary
+# antispam_dspam_binary = /usr/bin/dspam
+
+# semicolon-separated list of extra arguments to dspam
+# (default unset i.e. none)
+# antispam_dspam_args =
+# antispam_dspam_args = --deliver=;--user;%u  # % expansion done by dovecot
+# antispam_dspam_args = --mode=teft
+
+# Ignore mails where the DSPAM result header contains any of the
+# strings listed in the blacklist
+# (default unset i.e. none)
+# antispam_dspam_result_header = X-DSPAM-Result
+# semicolon-separated list of blacklisted results, case insensitive
+# antispam_dspam_result_blacklist = Virus
+
+# semicolon-separated list of environment variables to set
+# (default unset i.e. none)
+# antispam_dspam_env =
+# antispam_dspam_env = HOME=%h;USER=%u
+
+#=====================
+# pipe plugin
+#
+# This plug can be used to train via an arbitrary program that
+# receives the message on standard input. Since sendmail can be
+# such a program, it can be used to send the message to another
+# email address for training there.
+#
+# For example:
+#   antispam_pipe_program = /path/to/mailtrain
+#        (defaults to /usr/sbin/sendmail)
+#   antispam_pipe_program_args = --for;%u
+#   antispam_pipe_program_spam_arg = --spam
+#   antispam_pipe_program_notspam_arg = --ham
+#   antispam_pipe_tmpdir = /tmp
+# will call it, for example, like this:
+#   /path/to/mailtrain --for jberg --spam
+#
+# The old configuration options from when this plugin was called
+# "mailtrain" are still valid, these are, in the same order as
+# above: antispam_mail_sendmail, antispam_mail_sendmail_args,
+# antispam_mail_spam, antispam_mail_notspam and antispam_mail_tmpdir.
+#
+# Alternatively, if you need to give multiple options, you can use
+# the spam_args/notspam_args parameters (which are used in preference
+# of the singular form):
+#   antispam_pipe_program_spam_args = --spam;--my-other-param1
+#   antispam_pipe_program_notspam_args = --ham;--my-other-param2
+# which will then call
+#   /path/to/mailtrain --for jberg --spam --my-other-param1
+
+# temporary directory
+antispam_pipe_tmpdir = /tmp
+
+# spam/not-spam argument (default unset which will is not what you want)
+antispam_pipe_program_spam_arg    = -s
+antispam_pipe_program_notspam_arg = -n
+
+# binary to pipe mail to
+antispam_pipe_program = /usr/bin/bogofilter
+#antispam_pipe_program_args = -f;%u@example.com # % expansion done by dovecot
+antispam_pipe_program_args = -l
+
+#===================
+# crm114 plugin
+
+# mailreaver binary
+# antispam_crm_binary = /bin/false
+# antispam_crm_binary = /usr/share/crm114/mailreaver.crm
+
+# semicolon-separated list of extra arguments to crm114
+# (default unset i.e. none)
+# antispam_crm_args =
+# antispam_crm_args = --config=/path/to/config
+
+# semicolon-separated list of environment variables to set
+# (default unset i.e. none)
+# antispam_crm_env =
+# antispam_crm_env = HOME=%h;USER=%u
+
+# NOTE: you need to set the signature for this backend
+# antispam_signature = X-CRM114-CacheID
+
+#===================
+# spool2dir plugin
+
+# spam/not-spam spool2dir drop (default unset which will give errors)
+# The first %%lu is replaced by the current time.
+# The second %%lu is replaced by a counter to generate unique names.
+# These two tokens MUST be present in the template! However
+# you can insert any C-style modifier as shown.
+# antispam_spool2dir_spam    = /tmp/spamspool/%%020lu-%u-%%05lus
+# antispam_spool2dir_notspam = /tmp/spamspool/%%020lu-%u-%%05luh
+
+}
diff --git a/90-sieve.conf b/90-sieve.conf
new file mode 100644
index 0000000..12af1c9
--- /dev/null
+++ b/90-sieve.conf
@@ -0,0 +1,214 @@
+##
+## Settings for the Sieve interpreter
+##
+
+# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
+# by adding it to the respective mail_plugins= settings.
+
+# The Sieve interpreter can retrieve Sieve scripts from several types of
+# locations. The default `file' location type is a local filesystem path
+# pointing to a Sieve script file or a directory containing multiple Sieve
+# script files. More complex setups can use other location types such as
+# `ldap' or `dict' to fetch Sieve scripts from remote databases.
+#
+# All settings that specify the location of one ore more Sieve scripts accept
+# the following syntax:
+#
+# location = [<type>:]path[;<option>[=<value>][;...]]
+#
+# If the type prefix is omitted, the script location type is 'file' and the
+# location is interpreted as a local filesystem path pointing to a Sieve script
+# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
+# information.
+
+plugin {
+  # The location of the user's main Sieve script or script storage. The LDA
+  # Sieve plugin uses this to find the active script for Sieve filtering at
+  # delivery. The "include" extension uses this location for retrieving
+  # :personal" scripts. This is also where the  ManageSieve service will store
+  # the user's scripts, if supported.
+  #
+  # Currently only the 'file:' location type supports ManageSieve operation.
+  # Other location types like 'dict:' and 'ldap:' can currently only
+  # be used as a read-only script source ().
+  #
+  # For the 'file:' type: use the ';active=' parameter to specify where the
+  # active script symlink is located.
+  # For other types: use the ';name=' parameter to specify the name of the
+  # default/active script.
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+
+  # The default Sieve script when the user has none. This is the location of a
+  # global sieve script file, which gets executed ONLY if user's personal Sieve
+  # script doesn't exist. Be sure to pre-compile this script manually using the
+  # sievec command line tool if the binary is not stored in a global location.
+  # --> See sieve_before for executing scripts before the user's personal
+  #     script.
+  #sieve_default = /var/lib/dovecot/sieve/default.sieve
+
+  # The name by which the default Sieve script (as configured by the
+  # sieve_default setting) is visible to the user through ManageSieve.
+  #sieve_default_name =
+
+  # Location for ":global" include scripts as used by the "include" extension.
+  #sieve_global =
+
+  # The location of a Sieve script that is run for any message that is about to
+  # be discarded; i.e., it is not delivered anywhere by the normal Sieve
+  # execution. This only happens when the "implicit keep" is canceled, by e.g.
+  # the "discard" action, and no actions that deliver the message are executed.
+  # This "discard script" can prevent discarding the message, by executing
+  # alternative actions. If the discard script does nothing, the message is
+	# still discarded as it would be when no discard script is configured.
+  #sieve_discard =
+
+  # Location Sieve of scripts that need to be executed before the user's
+  # personal script. If a 'file' location path points to a directory, all the
+  # Sieve scripts contained therein (with the proper `.sieve' extension) are
+  # executed. The order of execution within that directory is determined by the
+  # file names, using a normal 8bit per-character comparison.
+  #
+  # Multiple script locations can be specified by appending an increasing number
+  # to the setting name. The Sieve scripts found from these locations are added
+  # to the script execution sequence in the specified order. Reading the
+  # numbered sieve_before settings stops at the first missing setting, so no
+  # numbers may be skipped.
+  sieve_before = /etc/dovecot/sieve/before
+  #sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
+  #sieve_before3 = (etc...)
+
+  # Identical to sieve_before, only the specified scripts are executed after the
+  # user's script (only when keep is still in effect!). Multiple script
+  # locations can be specified by appending an increasing number.
+  sieve_after = /etc/dovecot/sieve/after
+  #sieve_after2 =
+  #sieve_after2 = (etc...)
+
+  # Which Sieve language extensions are available to users. By default, all
+  # supported extensions are available, except for deprecated extensions or
+  # those that are still under development. Some system administrators may want
+  # to disable certain Sieve extensions or enable those that are not available
+  # by default. This setting can use '+' and '-' to specify differences relative
+  # to the default. For example `sieve_extensions = +imapflags' will enable the
+  # deprecated imapflags extension in addition to all extensions were already
+  # enabled by default.
+  #sieve_extensions = +notify +imapflags
+
+  # Which Sieve language extensions are ONLY available in global scripts. This
+  # can be used to restrict the use of certain Sieve extensions to administrator
+  # control, for instance when these extensions can cause security concerns.
+  # This setting has higher precedence than the `sieve_extensions' setting
+  # (above), meaning that the extensions enabled with this setting are never
+  # available to the user's personal script no matter what is specified for the
+  # `sieve_extensions' setting. The syntax of this setting is similar to the
+  # `sieve_extensions' setting, with the difference that extensions are
+  # enabled or disabled for exclusive use in global scripts. Currently, no
+  # extensions are marked as such by default.
+  #sieve_global_extensions =
+
+  # The Pigeonhole Sieve interpreter can have plugins of its own. Using this
+  # setting, the used plugins can be specified. Check the Dovecot wiki
+  # (wiki2.dovecot.org) or the pigeonhole website
+  # (http://pigeonhole.dovecot.org) for available plugins.
+  # The sieve_extprograms plugin is included in this release.
+  #sieve_plugins =
+
+  # The separator that is expected between the :user and :detail
+  # address parts introduced by the subaddress extension. This may
+  # also be a sequence of characters (e.g. '--'). The current
+  # implementation looks for the separator from the left of the
+  # localpart and uses the first one encountered. The :user part is
+  # left of the separator and the :detail part is right. This setting
+  # is also used by Dovecot's LMTP service.
+  #recipient_delimiter = +
+
+  # The maximum size of a Sieve script. The compiler will refuse to compile any
+  # script larger than this limit. If set to 0, no limit on the script size is
+  # enforced.
+  #sieve_max_script_size = 1M
+
+  # The maximum number of actions that can be performed during a single script
+  # execution. If set to 0, no limit on the total number of actions is enforced.
+  #sieve_max_actions = 32
+
+  # The maximum number of redirect actions that can be performed during a single
+  # script execution. If set to 0, no redirect actions are allowed.
+  #sieve_max_redirects = 4
+
+  # The maximum number of personal Sieve scripts a single user can have. If set
+  # to 0, no limit on the number of scripts is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_scripts = 0
+
+  # The maximum amount of disk storage a single user's scripts may occupy. If
+  # set to 0, no limit on the used amount of disk storage is enforced.
+  # (Currently only relevant for ManageSieve)
+  #sieve_quota_max_storage = 0
+
+  # The primary e-mail address for the user. This is used as a default when no
+  # other appropriate address is available for sending messages. If this setting
+  # is not configured, either the postmaster or null "<>" address is used as a
+  # sender, depending on the action involved. This setting is important when
+  # there is no message envelope to extract addresses from, such as when the
+  # script is executed in IMAP.
+  #sieve_user_email =
+
+  # The path to the file where the user log is written. If not configured, a
+  # default location is used. If the main user's personal Sieve (as configured
+  # with sieve=) is a file, the logfile is set to <filename>.log by default. If
+  # it is not a file, the default user log file is ~/.dovecot.sieve.log.
+  #sieve_user_log =
+
+  # Specifies what envelope sender address is used for redirected messages.
+  # The following values are supported for this setting:
+  #
+  #   "sender"         - The sender address is used (default).
+  #   "recipient"      - The final recipient address is used.
+  #   "orig_recipient" - The original recipient is used.
+  #   "user_email"     - The user's primary address is used. This is
+  #                      configured with the "sieve_user_email" setting. If
+  #                      that setting is unconfigured, "user_mail" is equal to
+  #                      "recipient".
+  #   "postmaster"     - The postmaster_address configured for the LDA.
+  #   "<user@domain>"  - Redirected messages are always sent from user@domain.
+  #                      The angle brackets are mandatory. The null "<>" address
+  #                      is also supported.
+  #
+  # This setting is ignored when the envelope sender is "<>". In that case the
+  # sender of the redirected message is also always "<>".
+  #sieve_redirect_envelope_from = sender
+
+  ## TRACE DEBUGGING
+  # Trace debugging provides detailed insight in the operations performed by
+  # the Sieve script. These settings apply to both the LDA Sieve plugin and the
+  # IMAPSIEVE plugin.
+  #
+  # WARNING: On a busy server, this functionality can quickly fill up the trace
+  # directory with a lot of trace files. Enable this only temporarily and as
+  # selective as possible.
+
+  # The directory where trace files are written. Trace debugging is disabled if
+  # this setting is not configured or if the directory does not exist. If the
+  # path is relative or it starts with "~/" it is interpreted relative to the
+  # current user's home directory.
+  #sieve_trace_dir =
+
+  # The verbosity level of the trace messages. Trace debugging is disabled if
+  # this setting is not configured. Possible values are:
+  #
+  #   "actions"        - Only print executed action commands, like keep,
+  #                      fileinto, reject and redirect.
+  #   "commands"       - Print any executed command, excluding test commands.
+  #   "tests"          - Print all executed commands and performed tests.
+  #   "matching"       - Print all executed commands, performed tests and the
+  #                      values matched in those tests.
+  #sieve_trace_level =
+
+  # Enables highly verbose debugging messages that are usually only useful for
+  # developers.
+  #sieve_trace_debug = no
+
+  # Enables showing byte code addresses in the trace output, rather than only
+  # the source line numbers.
+  #sieve_trace_addresses = no
+}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a792361
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,74 @@
+FROM eumau/debian:buster-slim
+LABEL maintainer "Mauro Torrez <mauro@mau.ro>"
+ARG DEBIAN_FRONTEND=noninteractive
+ENV LC_ALL C
+ENV \
+    MAIL_DOMAINS= \
+    AUTH_MECHANISMS=plain \
+    AUTH_USERNAME_FORMAT="%Lu" \
+    AUTH_MASTER_ENABLE= \
+    SUBMISSION_HOSTNAME=dovecot.dockernet \
+    SUBMISSION_RELAY_HOST= \
+    SUBMISSION_RELAY_PORT=25 \
+    SUBMISSION_RELAY_TRUSTED=yes \
+    SUBMISSION_RELAY_USER= \
+    SUBMISSION_RELAY_MASTER_USER= \
+    SUBMISSION_RELAY_PASSWORD= \
+    SUBMISSION_RELAY_SSL=starttls \
+    SUBMISSION_RELAY_SSL_VERIFY=no \
+    SUBMISSION_RELAY_RAWLOG_DIR= \
+    LDAP_ENABLE= \
+    LDAP_HOSTS="ldap:389" \
+    LDAP_URIS= \
+    LDAP_BIND=yes \
+    LDAP_VERSION=3 \
+    LDAP_BASE="dc=example,dc=org" \
+    LDAP_SCOPE=sub \
+    LDAP_USER_ATTRS="=home=/vmail/mail/%d/%n, =uid=5000, =gid=5000" \
+    LDAP_USER_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
+    LDAP_PASS_ATTRS="userPassword=password, =userdb_home=/vmail/mail/%d/%n, =userdb_uid=5000, =userdb_gid=5000" \
+    LDAP_PASS_FILTER="(&(objectClass=inetOrgPerson)(uid=%n))" \
+    LDAP_ITERATE_ATTRS="=user=%{ldap:uid}@%d" \
+    LDAP_ITERATE_FILTER="(objectClass=inetOrgPerson)" \
+    LDAP_DEFAULT_PASS_SCHEME=CRYPT \
+    ANTISPAM_ENABLE=yes \
+    IMAP_URLAUTH_HOST="*"
+
+RUN groupadd -g 5000 vmail && useradd -g vmail -u 5000 vmail -d /vmail \
+  && mkdir -p /vmail && chown vmail:vmail /vmail \
+  && apt-get update && apt-get install -y --no-install-recommends \
+     dovecot-lmtpd \
+     dovecot-imapd \
+     dovecot-ldap \
+     dovecot-sieve \
+     dovecot-submissiond \
+     dovecot-managesieved \
+     dovecot-antispam \
+     bogofilter \
+     ssl-cert \
+  && rm -rf /var/lib/apt/lists/* \
+  && mkdir -p /ssl && chmod 700 /ssl \
+  && cp /etc/ssl/certs/ssl-cert-snakeoil.pem /ssl/cert.pem \
+  && cp /etc/ssl/private/ssl-cert-snakeoil.key /ssl/key.pem \
+  && mkdir -p /etc/dovecot/local.d /etc/dovecot/sieve/before /etc/dovecot/sieve/after \
+  && printf '!include_try local.d/*.conf\nlog_path = /dev/stdout\n' > /etc/dovecot/local.conf
+
+ADD 10-mail.conf \
+  10-master.conf \
+  10-ssl.conf \
+  15-mailboxes.conf \
+  90-antispam.conf \
+  90-sieve.conf \
+  /etc/dovecot/conf.d/
+
+ADD junk-filter.sieve /etc/dovecot/sieve/before/
+
+ADD confd /etc/confd/
+
+RUN sievec /etc/dovecot/sieve/before
+
+VOLUME /etc/dovecot /ssl /vmail
+
+EXPOSE 110/tcp 143/tcp 587/tcp 993/tcp 995/tcp 2000/tcp
+
+CMD ["dovecot","-F"]
diff --git a/README.md b/README.md
index 8f84fd9..de275ea 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,163 @@
 # docker-image-dovecot
 
-Docker image for Dovecot.
\ No newline at end of file
+Docker image for Dovecot.
+
+## Configuración
+
+* `vmail_home` (`/srv/vmail`): home del usuario `vmail`.
+
+### Generales
+
+* `dovecot_user_home` (`{{ vmail_home }}/mail/%d/%n`): carpeta home de
+  cada usuario.
+* `dovecot_mail_location` (`{{dovecot_mailbox_format}}:~/dbox` o
+  `maildir:~/Maildir` según el valor de `dovecot_mailbox_format`):
+  ubicación de los mails de cada usuario.
+* `dovecot_mailbox_junk` (`Junk`): Nombre de la carpeta de spam.
+* `dovecot_mailbox_format` (`dbox`): formato del mailbox. Valores
+  posibles: `dbox`, `mdbox`, `sdbox`, `maildir`.
+* `dovecot_auth_username_format` (`%Lu`): formato del nombre de
+  usuario utilizado para autenticar.
+* `dovecot_auth_mechanisms` (`plain`): mecanismos de autenticación,
+  agregar `login` para compatibilidad con MS Outlook.
+* `dovecot_auth_system_enable` (`no`): habilitar login para usuarios
+  del sistema.
+* `dovecot_auth_master_enable` (`no`): habilitar usuarios _master_.
+
+### Protocolos
+
+* `dovecot_proto_imap_enable` (`yes`): activar IMAP.
+* `dovecot_proto_imaps_enable` (`no`): activar IMAPS.
+* `dovecot_proto_pop3_enable` (`no`): activar POP3.
+* `dovecot_proto_pop3s_enable` (`no`): activar POP3S.
+* `dovecot_proto_managesieve_enable` (`yes`): activar
+  managesieve. Debe estar habilitado Sieve.
+
+### SSL
+
+* `dovecot_ssl_enable` (`yes`): habilitar ssl.
+* `dovecot_ssl_require` (`no`): requerir ssl.
+* `dovecot_ssl_cert` (`{{ tls_certificate }}`): path absoluto al
+  certificado SSL.
+* `dovecot_ssl_key` (`{{ tls_certificate_key }}`): path absoluto a la
+  clave privada SSL.
+
+### LDAP
+
+* `dovecot_ldap_enable` (`yes`): indica si habilitar la userdb/passdb
+  LDAP.
+* `dovecot_ldap_servers`: (`["localhost"]`): lista de servidores ldap
+  para consultar.
+* `dovecot_ldap_version` (`3`): version del protocolo LDAP.
+* `dovecot_ldap_base` (`ou=People,dc=%Dd`): base para la búsqueda en
+  LDAP. `%Dd` convierte `mi.dominio.com` en `mi,dc=dominio,dc=com`.
+* `dovecot_ldap_scope` (`subtree`): scope para la búsqueda. Valores
+  posibles: `base`, `onelevel`, `subtree`.
+* `dovecot_ldap_user_filter` (`(&(objectClass=inetOrgPerson)
+  (uid=%n))`): filtro para obtener la entrada del usuario LDAP.
+* `dovecot_ldap_pass_filter` (`(&(objectClass=inetOrgPerson)
+  (uid=%n))`): filtro para obtener la clave del usuario LDAP.
+* `dovecot_ldap_user_attrs` (`=home={{dovecot_user_home}},
+  =uid={{vmail_user}}, =gid={{vmail_group}}`): atributos del usuario.
+  Por defecto se usan valores pre-calculados, sin consultar LDAP.
+* `dovecot_ldap_pass_attrs` (`userPassword=password,
+  =userdb_home={{dovecot_user_home}}, =userdb_uid={{vmail_user}},
+  =userdb_gid={{vmail_group}}`): clave + mapeo de atributos
+  LDAP=Dovecot del usuario.
+* `dovecot_ldap_iterate_attrs` (`=user=%{ldap:uid}@%d`): iteracion que
+  lista todos los usuarios que Dovecot conoce. Es para poder ejecutar
+  el comando `doveadm -A`. El formato es `<atributo LDAP>=<atributo
+  Dovecot>` o bien `=<atributo Dovecot>=<TEMPLATE>`, en donde TEMPLATE
+  es un string con campos `%{ldap:<nombre_atributo_ldap>}` que son
+  reemplazados por el valor correspondiente traido de LDAP.
+  CAVEAT: al usar `%Dd` en `dovecot_ldap_base`, no se puede utilizar
+  `doveadm -A`, sino que siempre se debe especificar un dominio usando
+  `doveadom -u "*@dominio"`. Cuando la base LDAP es fija (sin `%algo`),
+  se puede simplificar este campo a `uid=user`.
+* `dovecot_ldap_iterate_filter` (`(objectClass=inetOrgPerson)`):
+  filtro para iteración, debe devolver todas las personas de tipo
+  `usuario` en LDAP.
+* `dovecot_ldap_default_pass_scheme` (`CRYPT`): esquema de clave en
+  ldap. No debería ser necesario con una autenticación bind.
+
+### Antispam
+
+La configuración antispam viene por defecto para Bogofilter.
+
+* `dovecot_antispam_enable` (`yes`): Indica si activar el plugin
+  antispam.
+* `dovecot_antispam_backend` (`pipe`): Backend. Valores posibles:
+  `crm114`, `dspam`, `pipe`, `spool2dir`.
+* `dovecot_antispam_signature` (`X-Bogosity`): Header que indica que
+  el mail ha sido escaneado para spam.
+* `dovecot_antispam_pipe_program` (`/usr/bin/bogofilter`): programa
+  que entrena leyendo el mail en STDIN.
+* `dovecot_antispam_pipe_program_args` (`-l`): argumentos pasados al
+  programa en todos los casos.
+* `dovecot_antispam_pipe_program_notspam_arg` (`-n`): argumento que
+  indica que el mail NO ES spam.
+* `dovecot_antispam_pipe_program_spam_arg` (`-s`): argumento que
+  indica que el mail ES spam.
+* `dovecot_antispam_pipe_tmpdir` (`/tmp`): directorio temporal de pipe
+  (creo que el mail se copia ahi primero).
+* `dovecot_antispam_signature_missing` (`error`): acción cuando se
+  mueve un mail que no tiene signature de/hacia spam. Valores
+  posibles: `error` (fallar en la operación), `move` (mover el mensaje
+  de todos modos). Se recomienda empezar con `error` para detectar
+  errores al entrenar. Una vez todo andando se recomienda `move`.
+* `dovecot_antispam_spam` (`Junk;junk;Junk Mail;Spam;spam;SPAM`):
+  nombres de carpeta a interpretar como spam.
+* `dovecot_antispam_trash` (`Trash;trash;mail/trash;Deleted
+  Messages`): nombres de carpeta a interpretar como papelera.
+* `dovecot_antispam_debug_enable` (`no`)
+* `dovecot_antispam_debug_target` (`syslog`)
+* `dovecot_antispam_debug_verbosity` (`0`)
+
+#### Para rspamd
+
+```yaml
+dovecot_antispam_enable: yes
+dovecot_antispam_pipe_program: rspamc
+dovecot_antispam_pipe_program_spam_arg: learn_spam
+dovecot_antispam_pipe_program_notspam_arg: learn_ham
+```
+
+### Quota
+
+* `dovecot_quota_enable` (`yes`): activar plugin quota.
+* `dovecot_quota_driver` (`count`): driver de quota. Opciones
+  posibles: `count`, `maildir`.
+* `dovecot_quota_limit` (`4096M`): límite global de la cuota de
+  usuario.
+* `dovecot_quota_additional_limit`: (`{Trash: 100M }`): límites
+  adicionales para casillas específicas.
+* `dovecot_quota_grace` (`10%`): gracia de la cuota (en % o M).
+
+### Sieve
+
+* `dovecot_sieve_enable` (`yes`): activar plugin sieve.
+* `dovecot_sieve_before` (`/etc/dovecot/sieve/before`): directorio con
+  scripts ejecutados antes que los del usuario.
+* `dovecot_sieve_after` (`/etc/dovecot/sieve/after`): directorio con
+  scripts ejecutados después que los del usuario.
+
+### Single-instance storage para adjuntos
+
+* `dovecot_sis_enable` (`yes`): Indica si activar single-instance
+  storage para los adjuntos.
+* `dovecot_sis_directory`: (`{{ vmail_home }}/attachments`): lugar
+  donde se guardan los adjuntos desduplicados.
+* `dovecot_sis_min_size` (`128k`): tamaño minimo de adjuntos a guardar
+  en SIS.
+* `dovecot_sis_hash` (`%{sha1}`): hash a usar para desduplicar.
+* `dovecot_sis_queue_enable` (`no`): habilitar desduplicacion
+  postergada,
+* `dovecot_sis_queue_directory` (`{{vmail_home}}/attachments-queue`):
+  carpeta donde se guardan los pendientes para desduplicar.
+
+### Carpeta alternativa para correo
+
+* `dovecot_altstorage_enable` (`no`): habilitar uso de carpeta
+  alternativa de correo.
+* `dovecot_altstorage_directory` (`{{ vmail_home }}/alt-storage`):
+  carpeta alternativa de correo.
diff --git a/confd/conf.d/auth.toml b/confd/conf.d/auth.toml
new file mode 100644
index 0000000..3f02539
--- /dev/null
+++ b/confd/conf.d/auth.toml
@@ -0,0 +1,10 @@
+[template]
+src = "10-auth.conf.tmpl"
+dest = "/etc/dovecot/local.d/10-auth.conf"
+keys = [
+    "/mail/domains",
+    "/auth/username/format",
+    "/auth/mechanisms",
+    "/auth/master/enable",
+    "/ldap/enable"
+]
diff --git a/confd/conf.d/imap.toml b/confd/conf.d/imap.toml
new file mode 100644
index 0000000..5f7829a
--- /dev/null
+++ b/confd/conf.d/imap.toml
@@ -0,0 +1,7 @@
+[template]
+src = "20-imap.conf.tmpl"
+dest = "/etc/dovecot/local.d/20-imap.conf"
+keys = [
+    "/antispam/enable",
+    "/imap/urlauth/host"
+]
diff --git a/confd/conf.d/ldap.toml b/confd/conf.d/ldap.toml
new file mode 100644
index 0000000..492053c
--- /dev/null
+++ b/confd/conf.d/ldap.toml
@@ -0,0 +1,18 @@
+[template]
+src = "ldap.conf.ext.tmpl"
+dest = "/etc/dovecot/local.d/ldap.conf.ext"
+keys = [
+    "/ldap/hosts",
+    "/ldap/uris",
+    "/ldap/bind",
+    "/ldap/version",
+    "/ldap/base",
+    "/ldap/scope",
+    "/ldap/user/attrs",
+    "/ldap/user/filter",
+    "/ldap/pass/attrs",
+    "/ldap/pass/filter",
+    "/ldap/iterate/attrs",
+    "/ldap/iterate/filter",
+    "/ldap/default/pass/scheme",
+]
diff --git a/confd/conf.d/ldap2.toml b/confd/conf.d/ldap2.toml
new file mode 100644
index 0000000..6bb380e
--- /dev/null
+++ b/confd/conf.d/ldap2.toml
@@ -0,0 +1,18 @@
+[template]
+src = "ldap.conf.ext.tmpl"
+dest = "/etc/dovecot/local.d/ldap2.conf.ext"
+keys = [
+    "/ldap/hosts",
+    "/ldap/uris",
+    "/ldap/bind",
+    "/ldap/version",
+    "/ldap/base",
+    "/ldap/scope",
+    "/ldap/user/attrs",
+    "/ldap/user/filter",
+    "/ldap/pass/attrs",
+    "/ldap/pass/filter",
+    "/ldap/iterate/attrs",
+    "/ldap/iterate/filter",
+    "/ldap/default/pass/scheme",
+]
diff --git a/confd/conf.d/lmtp.toml b/confd/conf.d/lmtp.toml
new file mode 100644
index 0000000..5d46a0d
--- /dev/null
+++ b/confd/conf.d/lmtp.toml
@@ -0,0 +1,6 @@
+[template]
+src = "20-lmtp.conf.tmpl"
+dest = "/etc/dovecot/local.d/20-lmtp.conf"
+keys = [
+    "/mail/domains"
+]
diff --git a/confd/conf.d/submission.toml b/confd/conf.d/submission.toml
new file mode 100644
index 0000000..51b822d
--- /dev/null
+++ b/confd/conf.d/submission.toml
@@ -0,0 +1,15 @@
+[template]
+src = "submission.conf.tmpl"
+dest = "/etc/dovecot/local.d/submission.conf"
+keys = [
+    "/submission/hostname",
+    "/submission/relay/host",
+    "/submission/relay/port",
+    "/submission/relay/trusted",
+    "/submission/relay/user",
+    "/submission/relay/master/user",
+    "/submission/relay/password",
+    "/submission/relay/ssl",
+    "/submission/relay/ssl/verify",
+    "/submission/relay/rawlog/dir"
+]
diff --git a/confd/templates/10-auth.conf.tmpl b/confd/templates/10-auth.conf.tmpl
new file mode 100644
index 0000000..e16688d
--- /dev/null
+++ b/confd/templates/10-auth.conf.tmpl
@@ -0,0 +1,32 @@
+auth_realms = {{ getv "/mail/domains" }}
+auth_default_realm = {{ index (split (getv "/mail/domains") " ") 0 }}
+auth_username_format = {{ getv "/auth/username/format" }}
+auth_mechanisms = {{ getv "/auth/mechanisms" }}
+
+
+{{ if eq (getv "/auth/master/enable") "yes"}}
+passdb {
+  driver = passwd-file
+  master = yes
+  args = /etc/dovecot/master-users
+
+# Unless you're using PAM, you probably still want the destination user to
+  # be looked up from passdb that it really exists. pass=yes does that.
+  pass = yes
+}
+{{ end }}
+
+
+{{ if eq (getv "/ldap/enable") "yes"}}
+passdb {
+  driver = ldap
+  args = /etc/dovecot/local.d/ldap.conf.ext
+}
+userdb {
+  driver = prefetch
+}
+userdb {
+  driver = ldap
+  args = /etc/dovecot/local.d/ldap2.conf.ext
+}
+{{ end }}
diff --git a/confd/templates/20-imap.conf.tmpl b/confd/templates/20-imap.conf.tmpl
new file mode 100644
index 0000000..efe8cee
--- /dev/null
+++ b/confd/templates/20-imap.conf.tmpl
@@ -0,0 +1,6 @@
+imap_capability = +SPECIAL_USE
+imap_urlauth_host = {{ getv "/imap/urlauth/host" }}
+protocol imap {
+  mail_plugins = $mail_plugins {{ if eq (getv "/antispam/enable") "yes" }}antispam{{ end }}
+  imap_metadata = yes
+}
diff --git a/confd/templates/20-lmtp.conf.tmpl b/confd/templates/20-lmtp.conf.tmpl
new file mode 100644
index 0000000..529db27
--- /dev/null
+++ b/confd/templates/20-lmtp.conf.tmpl
@@ -0,0 +1,5 @@
+protocol lmtp {
+  # postmaster_address aparentemente es obligatorio
+  postmaster_address = postmaster@{{ index (split (getv "/mail/domains") " ") 0 }}
+  mail_plugins = $mail_plugins sieve
+}
diff --git a/confd/templates/90-quota.conf.tmpl b/confd/templates/90-quota.conf.tmpl
new file mode 100644
index 0000000..105e6fb
--- /dev/null
+++ b/confd/templates/90-quota.conf.tmpl
@@ -0,0 +1,27 @@
+plugin {
+  #quota_rule = *:storage=1G
+  #quota_rule2 = Trash:storage=+100M
+  quota_rule = *:storage={{ dovecot_quota_limit }}
+  {% for key, value in dovecot_quota_additional_limit.items() %}
+  quota_rule{{ loop.index + 1 }} = {{ key }}:storage=+{{ value }}
+  {% endfor %}
+
+  # LDA/LMTP allows saving the last mail to bring user from under quota to
+  # over quota, if the quota doesn't grow too high. Default is to allow as
+  # long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
+  #quota_grace = 10%%
+  quota_grace = {{ dovecot_quota_grace | regex_replace("%.*$","%%") }}
+
+  {% if dovecot_quota_driver == "count" %}
+  quota_vsizes = yes
+  {% endif %}
+}
+
+
+plugin {
+  quota = {{ dovecot_quota_driver }}:User quota
+  #quota = dirsize:User quota
+  #quota = maildir:User quota
+  #quota = dict:User quota::proxy::quota
+  #quota = fs:User quota
+}
diff --git a/confd/templates/ldap.conf.ext.tmpl b/confd/templates/ldap.conf.ext.tmpl
new file mode 100644
index 0000000..c24f6b8
--- /dev/null
+++ b/confd/templates/ldap.conf.ext.tmpl
@@ -0,0 +1,16 @@
+{{ if (getv "/ldap/hosts") }}
+hosts = {{ getv "/ldap/hosts" }}
+{{ else }}
+uris = {{ getv "/ldap/uris" }}
+{{ end }}
+auth_bind = {{ getv "/ldap/bind" }}
+ldap_version = {{ getv "/ldap/version" }}
+base = {{ getv "/ldap/base" }}
+scope = {{ getv "/ldap/scope" }}
+user_attrs = {{ getv "/ldap/user/attrs" }}
+user_filter = {{ getv "/ldap/user/filter" }}
+pass_attrs = {{ getv "/ldap/pass/attrs" }}
+pass_filter = {{ getv "/ldap/pass/filter" }}
+iterate_attrs = {{ getv "/ldap/iterate/attrs" }}
+iterate_filter = {{ getv "/ldap/iterate/filter" }}
+default_pass_scheme = {{ getv "/ldap/default/pass/scheme" }}
diff --git a/confd/templates/submission.conf.tmpl b/confd/templates/submission.conf.tmpl
new file mode 100644
index 0000000..9ea4426
--- /dev/null
+++ b/confd/templates/submission.conf.tmpl
@@ -0,0 +1,10 @@
+hostname = {{getv "/submission/hostname"}}
+submission_relay_host = {{getv "/submission/relay/host"}}
+submission_relay_port = {{getv "/submission/relay/port"}}
+submission_relay_trusted = {{getv "/submission/relay/trusted"}}
+submission_relay_user = {{getv "/submission/relay/user"}}
+submission_relay_master_user = {{getv "/submission/relay/master/user"}}
+submission_relay_password = {{getv "/submission/relay/password"}}
+submission_relay_ssl = {{getv "/submission/relay/ssl"}}
+submission_relay_ssl_verify = {{getv "/submission/relay/ssl/verify"}}
+submission_relay_rawlog_dir = {{getv "/submission/relay/rawlog/dir"}}
diff --git a/junk-filter.sieve b/junk-filter.sieve
new file mode 100644
index 0000000..49f978e
--- /dev/null
+++ b/junk-filter.sieve
@@ -0,0 +1,9 @@
+require ["regex","fileinto", "mailbox"];
+# rule:[SPAM]
+if anyof(
+  header :contains "X-Spam-Flag" "YES",
+  header :contains "X-Bogosity" "Spam" )
+{
+        fileinto :create "Junk";
+        stop;
+}
diff --git a/local.conf b/local.conf
new file mode 100644
index 0000000..18a35ee
--- /dev/null
+++ b/local.conf
@@ -0,0 +1,2 @@
+!include_try local.d/*.conf
+log_path = /dev/stdout