diff --git a/production/group_vars/all.yml b/production/group_vars/all.yml
new file mode 100644
index 0000000..6405d23
--- /dev/null
+++ b/production/group_vars/all.yml
@@ -0,0 +1,8 @@
+smtp_relay_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35333033346637663866393736623536313961396638323230616463356432376265303362636438
+          3666363439646139633439383233363036383136306266370a636631316261653635323538643964
+          39343134646635326465316239313334353232666361343733613166643363373962633538646163
+          6663623433343233350a633463346664376563313830646539343439313436623365336463353463
+          65393733353432376464306536663135623663613232326139306333363461313463
+
diff --git a/roles/smtprelay/handlers/main.yml b/roles/smtprelay/handlers/main.yml
new file mode 100644
index 0000000..e2e29dd
--- /dev/null
+++ b/roles/smtprelay/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: restart postfix
+  service:
+      name: postfix
+      state: restarted
+
+- name: postmap sasl_passwd
+  command: postmap /etc/postfix/sasl_passwd
+
diff --git a/roles/smtprelay/tasks/main.yml b/roles/smtprelay/tasks/main.yml
new file mode 100644
index 0000000..63f623f
--- /dev/null
+++ b/roles/smtprelay/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: install postfix smtp server
+  package:
+      name: postfix
+      state: present
+
+- name: install libsasl2
+  package:
+      name: libsasl2-modules
+      state: present
+
+- name: install sasl_passwd file
+  template:
+      src: sasl_passwd.j2
+      dest: /etc/postfix/sasl_passwd
+      mode: 0640
+  notify:
+      - postmap sasl_passwd
+      - restart postfix
+
+- name: install default postfix main.cf
+  template:
+      src: main.cf.j2
+      dest: /etc/postfix/main.cf
+      mode: 0644
+  notify: restart postfix
diff --git a/roles/smtprelay/templates/main.cf.j2 b/roles/smtprelay/templates/main.cf.j2
new file mode 100644
index 0000000..8cacae0
--- /dev/null
+++ b/roles/smtprelay/templates/main.cf.j2
@@ -0,0 +1,26 @@
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+myorigin = mateu.be
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = $myhostname, localhost.$mydomain, localhost
+
+## sending email
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options = noanonymous
+smtp_use_tls = yes
+relayhost = [smtp.libertus.eu]:587
+
+## only accepts local relay
+mynetworks = 127.0.0.0/8, 172.17.0.1/16
+inet_interfaces = loopback-only
+
+smtpd_relay_restrictions = permit_mynetworks,defer_unauth_destination,reject
diff --git a/roles/smtprelay/templates/sasl_passwd.j2 b/roles/smtprelay/templates/sasl_passwd.j2
new file mode 100644
index 0000000..6640873
--- /dev/null
+++ b/roles/smtprelay/templates/sasl_passwd.j2
@@ -0,0 +1 @@
+[smtp.libertus.eu]:587 smtp.relay:{{ smtp_relay_pass }}
diff --git a/site.yml b/site.yml
index fe266b6..2734553 100644
--- a/site.yml
+++ b/site.yml
@@ -1,5 +1,6 @@
 - import_playbook: system.yml
 - import_playbook: proxmox.yml
+- import_playbook: smtprelay.yml
 - import_playbook: borgbackup.yml
 - import_playbook: nut.yml
 - import_playbook: firewall.yml
diff --git a/smtprelay.yml b/smtprelay.yml
new file mode 100644
index 0000000..23f3bbf
--- /dev/null
+++ b/smtprelay.yml
@@ -0,0 +1,3 @@
+- hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!mail.dmz.mateu.be
+  roles:
+    - smtprelay