diff --git a/roles/smtprelay/handlers/main.yml b/roles/smtprelay/handlers/main.yml
index ea08db3..7357675 100644
--- a/roles/smtprelay/handlers/main.yml
+++ b/roles/smtprelay/handlers/main.yml
@@ -9,3 +9,8 @@
   ansible.builtin.command:
     cmd: postmap /etc/postfix/sasl_passwd
   changed_when: false
+
+- name: Restart stunnel4
+  ansible.builtin.service:
+    name: stunnel4
+    state: restarted
diff --git a/roles/smtprelay/tasks/main.yml b/roles/smtprelay/tasks/main.yml
index beaa41b..af21a66 100644
--- a/roles/smtprelay/tasks/main.yml
+++ b/roles/smtprelay/tasks/main.yml
@@ -1,4 +1,8 @@
 ---
+- name: Include stunnel on condition
+  ansible.builtin.include_tasks:
+    file: stunnel.yml
+  when: smtprelay_port not in [587]
 
 - name: Install postfix smtp server
   ansible.builtin.package:
diff --git a/roles/smtprelay/tasks/stunnel.yml b/roles/smtprelay/tasks/stunnel.yml
new file mode 100644
index 0000000..eacebd0
--- /dev/null
+++ b/roles/smtprelay/tasks/stunnel.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Install stunnel
+  package:
+    name: stunnel4
+    state: present
+
+- name: SMTP wrapper
+  template:
+    src: smtp-wrapper.conf.j2
+    dest: /etc/stunnel/smtp-wrapper.conf
+    mode: 0644
+  notify: Restart stunnel4
+
+- name: Rewrite var smtprelay_host
+  set_fact:
+    smtprelay_host: "localhost"
+
+- name: Rewrite var smtprelay_port
+  set_fact:
+    smtprelay_port: "2{{ smtprelay_port }}"
diff --git a/roles/smtprelay/templates/main.cf.j2 b/roles/smtprelay/templates/main.cf.j2
index 8cacae0..178404d 100644
--- a/roles/smtprelay/templates/main.cf.j2
+++ b/roles/smtprelay/templates/main.cf.j2
@@ -3,7 +3,7 @@ biff = no
 
 # appending .domain is the MUA's job.
 append_dot_mydomain = no
-myorigin = mateu.be
+myorigin = {{ smtprelay_origin }}
 
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
@@ -17,7 +17,7 @@ smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
 smtp_use_tls = yes
-relayhost = [smtp.libertus.eu]:587
+relayhost = [{{ smtprelay_host }}]:{{ smtprelay_port }}
 
 ## only accepts local relay
 mynetworks = 127.0.0.0/8, 172.17.0.1/16
diff --git a/roles/smtprelay/templates/sasl_passwd.j2 b/roles/smtprelay/templates/sasl_passwd.j2
index 6640873..d02ff6a 100644
--- a/roles/smtprelay/templates/sasl_passwd.j2
+++ b/roles/smtprelay/templates/sasl_passwd.j2
@@ -1 +1 @@
-[smtp.libertus.eu]:587 smtp.relay:{{ smtp_relay_pass }}
+[{{ smtprelay_host }}]:{{ smtprelay_port }} {{ smtprelay_login }}:{{ smtprelay_pass }}
diff --git a/roles/smtprelay/templates/smtp-wrapper.conf.j2 b/roles/smtprelay/templates/smtp-wrapper.conf.j2
new file mode 100644
index 0000000..af4ba94
--- /dev/null
+++ b/roles/smtprelay/templates/smtp-wrapper.conf.j2
@@ -0,0 +1,4 @@
+[smtp-tls-wrapper]
+accept = 2{{ smtprelay_port }}
+client = yes
+connect = {{ smtprelay_host }}:{{ smtprelay_port }}