diff --git a/inventory/host_vars/ks3370405.yml b/inventory/host_vars/ks3370405.yml
new file mode 100644
index 0000000..31e2399
--- /dev/null
+++ b/inventory/host_vars/ks3370405.yml
@@ -0,0 +1,6 @@
+---
+
+allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
+
+global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
+ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
diff --git a/inventory/static.yml b/inventory/static.yml
index 73b9fc3..82e53ca 100644
--- a/inventory/static.yml
+++ b/inventory/static.yml
@@ -14,6 +14,8 @@ all:
       ansible_host: muse-HP-EliteBook-820-G2.home.arpa
     pinkypie:
       ansible_host: pinkypie.home.arpa
+    ks3370405:
+      ansible_host: ks3370405.kimsufi.com
 
 router:
   hosts:
@@ -76,6 +78,7 @@ disabled_munin:
     baybay-ponay:
     muse-HP-EliteBook-820-G2:
     pinkypie:
+    ks3370405:
 
 disabled_syslog:
   hosts:
@@ -83,6 +86,7 @@ disabled_syslog:
     machinbox:
     muse-HP-EliteBook-820-G2:
     pinkypie:
+    ks3370405:
 
 # Those are not servers and should not be configured as such
 disabled_server_conf:
diff --git a/playbooks/smtprelay.yml b/playbooks/smtprelay.yml
index 180b824..42317c3 100644
--- a/playbooks/smtprelay.yml
+++ b/playbooks/smtprelay.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Deploy smtp relay
-  hosts: all:!disabled_server_conf:!machinbox:!mail
+  hosts: all:!disabled_server_conf:!machinbox:!mail:!ks3370405
   diff: true
   roles:
     - smtprelay
diff --git a/roles/ufw/defaults/main.yml b/roles/ufw/defaults/main.yml
new file mode 100644
index 0000000..9a02e17
--- /dev/null
+++ b/roles/ufw/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ufw_allowed_smtp_ips: []
diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml
new file mode 100644
index 0000000..a3bb8f2
--- /dev/null
+++ b/roles/ufw/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Install ufw
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
+- name: Permit outgoing flows
+  community.general.ufw:
+    default: allow
+    direction: outgoing
+
+- name: Deny incoming flows
+  community.general.ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow incoming SSH
+  community.general.ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+
+- name: Allow incoming HTTP
+  community.general.ufw:
+    rule: allow
+    port: http
+    proto: tcp
+
+- name: Allow incoming SMTP
+  community.general.ufw:
+    rule: allow
+    port: smtp
+    src: "{{ item }}"
+  loop: "{{ ufw_allowed_smtp_ips }}"
+
+- name: Set logging
+  community.general.ufw:
+    logging: "on"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled