diff --git a/machine.yml b/machine.yml
index 646682a..1c4321a 100644
--- a/machine.yml
+++ b/machine.yml
@@ -10,6 +10,70 @@
     # E-mail configuration.
     # ----------------------------------------------------------------------------------------------
 
+    - name: Configure mailname
+      template:
+        src: ./root/etc/mailname.j2
+        dest: /etc/mailname
+        mode: 0644
+      register: mail_mailname
+
+    - name: Configure aliases
+      template:
+        src: ./root/etc/aliases.j2
+        dest: /etc/aliases
+        mode: 0644
+      register: mail_aliases
+
+    - name: Update aliases
+      command: newaliases
+      when: mail_aliases is changed
+
+    - name: Configure mailutils
+      template:
+        src: ./root/etc/mailutils.conf.j2
+        dest: /etc/mailutils.conf
+        mode: 0644
+
     - name: Install postfix
       apt:
+        name:
+          - postfix
+          - ca-certificates
+          - libsasl2-modules
+      register: mail_postfix_install
+
+    - name: Configure postfix
+      template:
+        src: ./root/etc/postfix/main.cf.j2
+        dest: /etc/postfix/main.cf
+        mode: 0644
+      register: mail_postfix_cfg
+
+    - name: Configure credentials
+      template:
+        src: ./root/etc/postfix/sasl_passwd.j2
+        dest: /etc/postfix/sasl_passwd
+        mode: 0600
+      register: mail_postfix_credentials
+
+    - name: Create hash database
+      command: postmap /etc/postfix/sasl_passwd
+      when:
+        mail_postfix_credentials is changed
+
+    - name: Set hash database permissions
+      file:
+        path: /etc/postfix/sasl_passwd.db
+        mode: 0600
+
+    - name: Enable/restart postfix
+      service:
         name: postfix
+        state: restarted
+        enabled: yes
+      when:
+        mail_mailname is changed or
+        mail_aliases is changed or
+        mail_postfix_install is changed or
+        mail_postfix_cfg is changed or
+        mail_postfix_credentials is changed
diff --git a/root/etc/aliases.j2 b/root/etc/aliases.j2
new file mode 100644
index 0000000..755eb0e
--- /dev/null
+++ b/root/etc/aliases.j2
@@ -0,0 +1,14 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+root: root.yggdrasil@{{ domain }}
diff --git a/root/etc/mailname.j2 b/root/etc/mailname.j2
new file mode 100644
index 0000000..81008ba
--- /dev/null
+++ b/root/etc/mailname.j2
@@ -0,0 +1 @@
+{{ domain }}
diff --git a/root/etc/mailutils.conf.j2 b/root/etc/mailutils.conf.j2
new file mode 100644
index 0000000..4e82c99
--- /dev/null
+++ b/root/etc/mailutils.conf.j2
@@ -0,0 +1,3 @@
+address {
+  email-domain {{ domain }};
+};
diff --git a/root/etc/postfix/main.cf.j2 b/root/etc/postfix/main.cf.j2
index eaafc8f..c8deb56 100644
--- a/root/etc/postfix/main.cf.j2
+++ b/root/etc/postfix/main.cf.j2
@@ -4,9 +4,9 @@
 # Debian specific:  Specifying a file name will cause the first
 # line of that file to be used as the name.  The Debian default
 # is /etc/mailname.
-#myorigin = /etc/mailname
+myorigin = /etc/mailname
 
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+smtpd_banner = $myhostname ESMTP
 biff = no
 
 # appending .domain is the MUA's job.
@@ -29,18 +29,24 @@ smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=may
+smtp_tls_security_level=encrypt
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_wrappermode = yes
 
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = yggdrasil
+myhostname = {{ hostname }}.{{ domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-mydestination = $myhostname, yggdrasil, localhost.localdomain, , localhost
-relayhost = 
+mydestination = $myhostname, {{ hostname }}, localhost
+relayhost = [{{ postfix_smtp_server }}]:{{ postfix_smtp_port }}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 recipient_delimiter = +
-inet_interfaces = all
+inet_interfaces = loopback-only
 inet_protocols = all
+
+# SASL parameters
+smtp_sasl_auth_enable = yes
+smtp_sasl_security_options = noanonymous
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
diff --git a/root/etc/postfix/sasl_passwd.j2 b/root/etc/postfix/sasl_passwd.j2
new file mode 100644
index 0000000..511cfd7
--- /dev/null
+++ b/root/etc/postfix/sasl_passwd.j2
@@ -0,0 +1 @@
+[{{ postfix_smtp_server }}]:{{ postfix_smtp_port }} {{ postfix_smtp_user }}:{{ postfix_smtp_pass }}
diff --git a/secrets.def.yml b/secrets.def.yml
index ea16c37..5d31ba1 100644
--- a/secrets.def.yml
+++ b/secrets.def.yml
@@ -1,3 +1,13 @@
 # Ansible variables
 ansible_port:
 ansible_become_password:
+
+# Machine variables
+hostname:
+domain:
+
+# Postfix variables
+postfix_smtp_server:
+postfix_smtp_port:
+postfix_smtp_user:
+postfix_smtp_pass: