diff --git a/inventory/host_vars/ks3370405.yml b/inventory/host_vars/ks3370405.yml
new file mode 100644
index 0000000..89a2642
--- /dev/null
+++ b/inventory/host_vars/ks3370405.yml
@@ -0,0 +1,9 @@
+---
+
+web_hostname:
+  - host: mail-relay.mateu.be
+
+allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"]
+
+global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}"
+ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}"
diff --git a/inventory/static.yml b/inventory/static.yml
index 73b9fc3..1faf0b1 100644
--- a/inventory/static.yml
+++ b/inventory/static.yml
@@ -14,6 +14,8 @@ all:
       ansible_host: muse-HP-EliteBook-820-G2.home.arpa
     pinkypie:
       ansible_host: pinkypie.home.arpa
+    ks3370405:
+      ansible_host: ks3370405.kimsufi.com
 
 router:
   hosts:
@@ -24,6 +26,10 @@ physicalservers:
     frederica:
     serenor:
 
+webservers:
+  hosts:
+    ks3370405:
+
 hypervisors:
   children:
     proxmox_nodes:
@@ -63,6 +69,7 @@ resticservers:
 
 disabled_loadbalanced_webservers:
   hosts:
+    ks3370405:
 
 disabled_system:
   hosts:
@@ -76,6 +83,7 @@ disabled_munin:
     baybay-ponay:
     muse-HP-EliteBook-820-G2:
     pinkypie:
+    ks3370405:
 
 disabled_syslog:
   hosts:
@@ -83,6 +91,7 @@ disabled_syslog:
     machinbox:
     muse-HP-EliteBook-820-G2:
     pinkypie:
+    ks3370405:
 
 # Those are not servers and should not be configured as such
 disabled_server_conf:
diff --git a/playbooks/global_smtprelay.yml b/playbooks/global_smtprelay.yml
new file mode 100644
index 0000000..9a3af34
--- /dev/null
+++ b/playbooks/global_smtprelay.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Install & configure the global SMTP relay
+  hosts: ks3370405
+  roles:
+    - ufw
+    - global_smtp_relay
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 8b37864..3f6693c 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -18,6 +18,8 @@
   import_playbook: firewall.yml
 - name: Run mail playbook
   import_playbook: mail.yml
+- name: Run global_smtprelay playbook
+  import_playbook: global_smtprelay.yml
 - name: Run xmpp playbook
   import_playbook: xmpp.yml
 - name: Run webservers playbook
diff --git a/playbooks/smtprelay.yml b/playbooks/smtprelay.yml
index 180b824..42317c3 100644
--- a/playbooks/smtprelay.yml
+++ b/playbooks/smtprelay.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Deploy smtp relay
-  hosts: all:!disabled_server_conf:!machinbox:!mail
+  hosts: all:!disabled_server_conf:!machinbox:!mail:!ks3370405
   diff: true
   roles:
     - smtprelay
diff --git a/roles/global_smtp_relay/handlers/main.yml b/roles/global_smtp_relay/handlers/main.yml
new file mode 100644
index 0000000..521d053
--- /dev/null
+++ b/roles/global_smtp_relay/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart postfix
+  ansible.builtin.service:
+    name: postfix
+    state: restarted
+    enabled: true
diff --git a/roles/global_smtp_relay/tasks/main.yml b/roles/global_smtp_relay/tasks/main.yml
new file mode 100644
index 0000000..3461f5a
--- /dev/null
+++ b/roles/global_smtp_relay/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Install postfix
+  ansible.builtin.package:
+    name: postfix
+    state: present
+
+- name: Put configuration
+  ansible.builtin.template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf
+    owner: root
+    group: root
+    mode: "0o640"
+  notify: Restart postfix
diff --git a/roles/global_smtp_relay/templates/main.cf.j2 b/roles/global_smtp_relay/templates/main.cf.j2
new file mode 100644
index 0000000..594e819
--- /dev/null
+++ b/roles/global_smtp_relay/templates/main.cf.j2
@@ -0,0 +1,29 @@
+compatibility_level = 2
+mail_owner = postfix
+myhostname = mail-relay.mateu.be
+myorigin = $myhostname
+mydestination = $myhostname, localhost.$mydomain, localhost
+unknown_local_recipient_reject_code = 550
+mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200
+sendmail_path = /usr/bin/sendmail
+newaliases_path = /usr/bin/newaliases
+mailq_path = /usr/bin/mailq
+mailbox_size_limit = 104857600
+message_size_limit = 104857600
+inet_protocols = ipv4
+## Référence de chiffrement TLS
+# serveur SMTP
+smtpd_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer
+smtpd_tls_key_file = /etc/x509/mail-relay.mateu.be/mail-relay.mateu.be.key
+smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_loglevel = 1
+# client SMTP
+smtp_tls_CApath = /etc/ssl/certs
+smtp_tls_cert_file = /etc/x509/mail-relay.mateu.be/fullchain.cer
+smtp_tls_key_file = /etc/x509/mail-relay.mateu.be/mail-relay.mateu.be.key
+smtp_use_tls = yes
+smtp_tls_protocols = !SSLv2,!SSLv3
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
diff --git a/roles/nginx/templates/vhosts/mail-relay.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/mail-relay.mateu.be.conf.j2
new file mode 100644
index 0000000..e69de29
diff --git a/roles/ufw/defaults/main.yml b/roles/ufw/defaults/main.yml
new file mode 100644
index 0000000..9a02e17
--- /dev/null
+++ b/roles/ufw/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ufw_allowed_smtp_ips: []
diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml
new file mode 100644
index 0000000..a3bb8f2
--- /dev/null
+++ b/roles/ufw/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Install ufw
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
+- name: Permit outgoing flows
+  community.general.ufw:
+    default: allow
+    direction: outgoing
+
+- name: Deny incoming flows
+  community.general.ufw:
+    default: deny
+    direction: incoming
+
+- name: Allow incoming SSH
+  community.general.ufw:
+    rule: allow
+    port: ssh
+    proto: tcp
+
+- name: Allow incoming HTTP
+  community.general.ufw:
+    rule: allow
+    port: http
+    proto: tcp
+
+- name: Allow incoming SMTP
+  community.general.ufw:
+    rule: allow
+    port: smtp
+    src: "{{ item }}"
+  loop: "{{ ufw_allowed_smtp_ips }}"
+
+- name: Set logging
+  community.general.ufw:
+    logging: "on"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled