diff --git a/mail_server.yaml b/mail.yaml
similarity index 64%
rename from mail_server.yaml
rename to mail.yaml
index 8cce310..f7132f6 100644
--- a/mail_server.yaml
+++ b/mail.yaml
@@ -8,3 +8,6 @@
       - role: postfix
         ldap_server: "{{ hostvars['ldap'].ansible_host }}"
         fqdn_domain: "lilik.it"
+      - role: dovecot
+        fqdn_domain: "lilik.it"
+        ldap_server: "{{ hostvars['ldap'].ansible_host }}"
diff --git a/roles/dovecot/handlers/main.yml b/roles/dovecot/handlers/main.yml
new file mode 100644
index 0000000..0a4ff65
--- /dev/null
+++ b/roles/dovecot/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- include: service.yaml
+  vars:
+    service_name: postfix
+
+- include: service.yaml
+  vars:
+    service_name: dovecot
diff --git a/roles/dovecot/tasks/main.yaml b/roles/dovecot/tasks/main.yaml
new file mode 100644
index 0000000..d2a2b6b
--- /dev/null
+++ b/roles/dovecot/tasks/main.yaml
@@ -0,0 +1,121 @@
+- include: service.yaml
+  # static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
+  vars:
+    service_name: dovecot
+    service_packages:
+      - dovecot-ldap
+      - dovecot-imapd
+      - rsyslog
+#      - dovecot-lmtpd
+#      - amavisd-new
+#      - postgrey #TODO
+#      - spamassassin
+#      - clamav-daemon
+
+- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
+  notify: restart postfix
+
+- blockinfile:
+    dest: /etc/postfix/master.cf
+    block: |
+      dovecot   unix  -       n       n       -       -       pipe
+        flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
+  notify: restart postfix
+
+- name: create postman group
+  group: name=postman state=present
+
+- name: create postman user
+  user: name=postman state=present shell=/dev/null
+
+- name: edit dovecot configuration
+  lineinfile: dest=/etc/dovecot/conf.d/10-master.conf line='    port = 143' insertafter='inet_listener imap {' state=present
+  notify: restart dovecot
+
+- blockinfile:
+    dest: /etc/dovecot/conf.d/10-master.conf
+    insertafter: 'inet_listener imaps {'
+    marker: '#ANSIBLE BLOCK FOR IMAPS PORT'
+    block: |
+                  port = 993
+                  ssl = yes
+  notify: restart dovecot
+
+- blockinfile:
+    dest: "/etc/dovecot/conf.d/10-master.conf"
+    insertafter: "unix_listener auth-userdb {"
+    marker: '#ANSIBLE BLOCK FOR AUTH USER'
+    block: |
+        group = postman
+        mode = 0664
+        user = postman
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_location = maildir:/home/postman/%d/%n' regexp='^mail_location = ' state=present
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_gid = postman' state=present
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_uid = postman' state=present
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-system.conf.ext" state=absent
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-ldap.conf.ext" state=present
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ fqdn_domain }}"
+  notify: restart dovecot
+
+- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_mechanisms = login plain"
+  notify: restart dovecot
+
+- blockinfile:
+    dest: /etc/dovecot/conf.d/10-ssl.conf
+    block: |
+        ssl = yes
+        ssl_cert = </etc/dovecot/dovecot.pem
+        ssl_key = </etc/dovecot/private/dovecot.pem
+
+# TODO: ssl, remove when dovecot will use a valid ssl certificate
+- name: generate certificates
+  shell: openssl req -new -x509 -subj "/C=US/ST=Oregon/L=Portland/O=IT/CN=10.0.58.13" -days 3650 -nodes -newkey rsa:4096 -out /etc/dovecot/dovecot.pem -keyout /etc/dovecot/private/dovecot.pem
+  args:
+    creates: /etc/dovecot/dovecot.pem
+  notify: restart dovecot
+
+- template: src=dovecot-ldap.conf.ext.j2 dest=/etc/dovecot/dovecot-ldap.conf.ext
+  notify: restart dovecot
+
+#- lineinfile: dest=/etc/postfix/main.cf line="content_filter=smtp-amavis:[127.0.0.1]:10024" state=present
+#  notify: restart_postfix
+
+#- blockinfile: |
+#    dest=/etc/postfix/master.cf
+#    content=" smtp-amavis unix    -       -       n       -       2     smtp
+#    -o smtp_data_done_timeout=1200
+#    -o smtp_send_xforward_command=yes
+#    -o disable_dns_lookups=yes
+#    -o max_use=20
+#
+#     127.0.0.1:10025 inet n    -       n       -       -     smtpd
+#    -o content_filter=
+#    -o smtpd_delay_reject=no
+#    -o smtpd_client_restrictions=permit_mynetworks,reject
+#    -o smtpd_helo_restrictions=
+#    -o smtpd_sender_restrictions=
+#    -o smtpd_recipient_restrictions=permit_mynetworks,reject
+#    -o smtpd_data_restrictions=reject_unauth_pipelining
+#    -o smtpd_end_of_data_restrictions=
+#    -o smtpd_restriction_classes=
+#    -o mynetworks=127.0.0.0/8
+#    -o smtpd_error_sleep_time=0
+#    -o smtpd_soft_error_limit=1001
+#    -o smtpd_hard_error_limit=1000
+#    -o smtpd_client_connection_count_limit=0
+#    -o smtpd_client_connection_rate_limit=0
+#    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
+#    -o local_header_rewrite_clients="
+#  notify: restart_postfix
diff --git a/roles/postfix/templates/dovecot-ldap.conf.ext.j2 b/roles/dovecot/templates/dovecot-ldap.conf.ext.j2
similarity index 100%
rename from roles/postfix/templates/dovecot-ldap.conf.ext.j2
rename to roles/dovecot/templates/dovecot-ldap.conf.ext.j2
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index 138b6e5..a3d0219 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,5 +1,4 @@
-- name: restart_postfix
-  service: name=postfix state=restarted
-
-- name: restart_dovecot
-  service: name=dovecot state=restarted
+---
+- include: service.yaml
+  vars:
+    service_name: postfix
diff --git a/roles/postfix/tasks/main.yaml b/roles/postfix/tasks/main.yaml
index e36fd89..e4b0f3d 100644
--- a/roles/postfix/tasks/main.yaml
+++ b/roles/postfix/tasks/main.yaml
@@ -10,130 +10,42 @@
       question: 'postfix/mailname'
       vtype: 'string'
       value: 'lilik.it'
-- name: install postfix packages
-  apt:
-      name: '{{ item }}'
-      state: latest
-      install_recommends: false
-  with_items:
+
+- include: service.yaml
+  vars:
+    service_name: postfix
+    service_packages:
       - postfix
       - postfix-ldap
-      - dovecot-ldap
-      - dovecot-imapd
+      # TODO: log, add a centralized log server
       - rsyslog
-#      - dovecot-lmtpd
-#      - amavisd-new
-#      - postgrey #TODO
-#      - spamassassin
-#      - clamav-daemon
 
 - name: upload ldap-aliases.cf
   template:
      src: ldap-aliases.cf.j2
      dest: "/etc/postfix/ldap-aliases.cf"
-  notify: restart_postfix
+  notify: restart postfix
+
 - lineinfile: dest=/etc/postfix/main.cf line="virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-aliases.cf"
-  notify: restart_postfix
+  notify: restart postfix
 
 - name: upload ldap-domains.cf
   template:
      src: ldap-domains.cf.j2
      dest: "/etc/postfix/ldap-domains.cf"
-  notify: restart_postfix
+  notify: restart postfix
+
 - lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domains.cf"
-  notify: restart_postfix
+  notify: restart postfix
 
 - name: upload ldap-accounts.cf
   template:
      src: ldap-accounts.cf.j2
      dest: "/etc/postfix/ldap-accounts.cf"
-  notify: restart_postfix
-- lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-accounts.cf"
-  notify: restart_postfix
-
-#TODO remove previous mydestination definition
-- lineinfile: dest=/etc/postfix/main.cf line="mydestination = mail.lilik.it, lists.lilik.it, localhost" state=present
-  notify: restart_postfix
-
-- blockinfile:
-    dest: "/etc/dovecot/conf.d/10-master.conf"
-    insertafter: "unix_listener auth-userdb {"
-    content: |
-        group = postman
-        mode = 0664
-        user = postman
-  notify: restart_postfix
-
-- lineinfile: dest=/etc/postfix/main.cf line="virtual_transport = dovecot" state=present
-  notify: restart_postfix
-
-- blockinfile:
-    dest: /etc/postfix/master.cf
-    block: |
-      dovecot   unix  -       n       n       -       -       pipe
-        flags=DRhu user=postman:postman argv=/usr/lib/dovecot/deliver -d ${recipient} -f ${sender}
-  notify: restart_postfix
-
-- name: create postman group
-  group: name=postman state=present gid=800
-
-- name: create postman user
-  user: name=postman state=present uid=800 shell=/dev/null
+  notify: restart postfix
 
-- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf regexp='^mail_location' state=absent
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_location = maildir:/home/postman/%d/%n' state=present
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_gid = 800' state=present
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-mail.conf line='mail_uid = 800' state=present
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-system.conf.ext" state=absent
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="!include auth-ldap.conf.ext" state=present
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_default_realm = {{ fqdn_domain }}\n"
-  notify: restart_dovecot
-
-- lineinfile: dest=/etc/dovecot/conf.d/10-auth.conf line="auth_mechanisms = login plain"
-  notify: restart_dovecot
-
-- template: src=dovecot-ldap.conf.ext.j2 dest=/etc/dovecot/dovecot-ldap.conf.ext
-  notify: restart_dovecot
-
-#- lineinfile: dest=/etc/postfix/main.cf line="content_filter=smtp-amavis:[127.0.0.1]:10024" state=present
-#  notify: restart_postfix
+- lineinfile: dest=/etc/postfix/main.cf line="virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-accounts.cf"
+  notify: restart postfix
 
-#- blockinfile: |
-#    dest=/etc/postfix/master.cf
-#    content=" smtp-amavis unix    -       -       n       -       2     smtp
-#    -o smtp_data_done_timeout=1200
-#    -o smtp_send_xforward_command=yes
-#    -o disable_dns_lookups=yes
-#    -o max_use=20
-#
-#     127.0.0.1:10025 inet n    -       n       -       -     smtpd
-#    -o content_filter=
-#    -o smtpd_delay_reject=no
-#    -o smtpd_client_restrictions=permit_mynetworks,reject
-#    -o smtpd_helo_restrictions=
-#    -o smtpd_sender_restrictions=
-#    -o smtpd_recipient_restrictions=permit_mynetworks,reject
-#    -o smtpd_data_restrictions=reject_unauth_pipelining
-#    -o smtpd_end_of_data_restrictions=
-#    -o smtpd_restriction_classes=
-#    -o mynetworks=127.0.0.0/8
-#    -o smtpd_error_sleep_time=0
-#    -o smtpd_soft_error_limit=1001
-#    -o smtpd_hard_error_limit=1000
-#    -o smtpd_client_connection_count_limit=0
-#    -o smtpd_client_connection_rate_limit=0
-#    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-#    -o local_header_rewrite_clients="
-#  notify: restart_postfix
+- lineinfile: dest=/etc/postfix/main.cf line="mydestination = mail.lilik.it, lists.lilik.it, localhost" regexp='mydestination =' state=present
+  notify: restart postfix
diff --git a/roles/roundcube/tasks/main.yaml b/roles/roundcube/tasks/main.yaml
index 8f8064f..3deb1dd 100644
--- a/roles/roundcube/tasks/main.yaml
+++ b/roles/roundcube/tasks/main.yaml
@@ -23,7 +23,10 @@
   template:
       src: "my-roundcube.php.j2"
       dest: "/etc/roundcube/my-roundcube.php"
-      mode: 0600
+      mode: 0640
+      owner: root
+      group: www-data
+
 
 - name: include my-roundcube.php
   lineinfile:
diff --git a/roles/roundcube/templates/my-roundcube.php.j2 b/roles/roundcube/templates/my-roundcube.php.j2
index cbab408..3898248 100644
--- a/roles/roundcube/templates/my-roundcube.php.j2
+++ b/roles/roundcube/templates/my-roundcube.php.j2
@@ -1,19 +1,19 @@
 <?php
-$config['default_host'] = 'ssl://mail.lilik.it';
+$config['default_host'] = 'ssl://{{ hostvars['mail'].ansible_host }}';
 $config['default_port'] = 993;
 $config['imap_auth_type'] = 'login';
-$config['smtp_server'] = 'mail.lilik.it';
+$config['smtp_server'] = '{{ hostvars['mail'].ansible_host }}';
 $config['smtp_helo_host'] = 'webmail.lilik.it';
 $config['skin_logo'] = '/images/lilik-150x54.png';
 $config['username_domain'] = 'lilik.it';
-$config['product_name'] = 'LiLIK Webmail';
-$config['plugins'] = array('password','carddav');
+$config['product_name'] = 'LILiK Webmail';
+$config['plugins'] = array('password');
 $config['language'] = 'it_IT';
 $config['skin'] = 'classic';
 $config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Junk', 'Trash', 'Archive');
 $config['create_default_folders'] = true;
 
-# TODO remove when dovecot will use a valid ssl certificate
+# TODO: ssl, remove when dovecot will use a valid ssl certificate
 $config['imap_conn_options'] = array(
   'ssl'         => array(
 	 'verify_peer'  => false,