diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml
index 31ce02cdf11c4ab6962dda51bfeba72d0679e2df..9d03d8adeb5ae7ace7d07f418995317cd4186046 100644
--- a/dovecot/defaults/main.yml
+++ b/dovecot/defaults/main.yml
@@ -31,3 +31,5 @@ dovecot_dsync_host_attribute: ansible_host
 dovecot_content_filter: false
 dovecot_spam_folder: Spam
 dovecot_spam_user: "${1}"  # debian-spamd
+dovecot_sieve: 'file:~/sieve;active=~/.dovecot.sieve'
+dovecot_special_mailbox_auto_subscribe: false
diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml
index f629400b6cbfd864c508d89ebf14c416225d6852..c9af587fb3979391cc425a93207a0804266689d1 100644
--- a/dovecot/tasks/main.yml
+++ b/dovecot/tasks/main.yml
@@ -28,15 +28,18 @@
     - dovecot.conf
     - deny-users
     - conf.d/10-auth.conf
+    - conf.d/10-director.conf
     - conf.d/10-mail.conf
     - conf.d/10-master.conf
     - conf.d/10-ssl.conf
     - conf.d/15-lda.conf
-    - conf.d/20-managesieve.conf
+    - conf.d/15-mailboxes.conf
     - conf.d/20-imap.conf
     - conf.d/20-lmtp.conf
+    - conf.d/20-managesieve.conf
     - conf.d/90-sieve.conf
     - conf.d/auth-passwdfile.conf.ext
+    - conf.d/auth-system.conf.ext
   notify:
     - restart dovecot
   tags:
diff --git a/dovecot/templates/conf.d/10-director.conf.j2 b/dovecot/templates/conf.d/10-director.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1429e2c2f71244ad6334083b15d5079e6d8a04ca
--- /dev/null
+++ b/dovecot/templates/conf.d/10-director.conf.j2
@@ -0,0 +1,57 @@
+##
+## Director-specific settings.
+##
+
+# Director can be used by Dovecot proxy to keep a temporary user -> mail server
+# mapping. As long as user has simultaneous connections, the user is always
+# redirected to the same server. Each proxy server is running its own director
+# process, and the directors are communicating the state to each others.
+# Directors are mainly useful with NFS-like setups.
+
+# List of IPs or hostnames to all director servers, including ourself.
+# Ports can be specified as ip:port. The default port is the same as
+# what director service's inet_listener is using.
+#director_servers = 
+
+# List of IPs or hostnames to all backend mail servers. Ranges are allowed
+# too, like 10.0.0.10-10.0.0.30.
+#director_mail_servers = 
+
+# How long to redirect users to a specific server after it no longer has
+# any connections.
+#director_user_expire = 15 min
+
+# How the username is translated before being hashed. Useful values include
+# %Ln if user can log in with or without @domain, %Ld if mailboxes are shared
+# within domain.
+#director_username_hash = %Lu
+
+# To enable director service, uncomment the modes and assign a port.
+service director {
+  unix_listener login/director {
+    #mode = 0666
+  }
+  fifo_listener login/proxy-notify {
+    #mode = 0666
+  }
+  unix_listener director-userdb {
+    #mode = 0600
+  }
+  inet_listener {
+    #port = 
+  }
+}
+
+# Enable director for the wanted login services by telling them to
+# connect to director socket instead of the default login socket:
+service imap-login {
+  #executable = imap-login director
+}
+#service submission-login {
+#  #executable = submission-login director
+#}
+
+# Enable director for LMTP proxying:
+protocol lmtp {
+  #auth_socket_path = director-userdb
+}
diff --git a/dovecot/templates/conf.d/15-mailboxes.conf.j2 b/dovecot/templates/conf.d/15-mailboxes.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..08335585d9546200e80d8d70c2655326ca952bd7
--- /dev/null
+++ b/dovecot/templates/conf.d/15-mailboxes.conf.j2
@@ -0,0 +1,90 @@
+##
+## Mailbox definitions
+##
+
+# Each mailbox is specified in a separate mailbox section. The section name
+# specifies the mailbox name. If it has spaces, you can put the name
+# "in quotes". These sections can contain the following mailbox settings:
+#
+# auto:
+#   Indicates whether the mailbox with this name is automatically created
+#   implicitly when it is first accessed. The user can also be automatically
+#   subscribed to the mailbox after creation. The following values are
+#   defined for this setting:
+# 
+#     no        - Never created automatically.
+#     create    - Automatically created, but no automatic subscription.
+#     subscribe - Automatically created and subscribed.
+#  
+# special_use:
+#   A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
+#   mailbox. There are no validity checks, so you could specify anything
+#   you want in here, but it's not a good idea to use flags other than the
+#   standard ones specified in the RFC:
+#
+#     \All      - This (virtual) mailbox presents all messages in the
+#                 user's message store. 
+#     \Archive  - This mailbox is used to archive messages.
+#     \Drafts   - This mailbox is used to hold draft messages.
+#     \Flagged  - This (virtual) mailbox presents all messages in the
+#                 user's message store marked with the IMAP \Flagged flag.
+#     \Junk     - This mailbox is where messages deemed to be junk mail
+#                 are held.
+#     \Sent     - This mailbox is used to hold copies of messages that
+#                 have been sent.
+#     \Trash    - This mailbox is used to hold messages that have been
+#                 deleted.
+#
+# comment:
+#   Defines a default comment or note associated with the mailbox. This
+#   value is accessible through the IMAP METADATA mailbox entries
+#   "/shared/comment" and "/private/comment". Users with sufficient
+#   privileges can override the default value for entries with a custom
+#   value.
+
+# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
+namespace inbox {
+  # These mailboxes are widely used and could perhaps be created automatically:
+  mailbox Drafts {
+    special_use = \Drafts
+{% if dovecot_special_mailbox_auto_subscribe %}
+    auto = subscribe
+{% endif %}
+  }
+  mailbox {{ dovecot_spam_folder }} {
+    special_use = \Junk
+{% if dovecot_special_mailbox_auto_subscribe %}
+    auto = subscribe
+{% endif %}
+  }
+  mailbox Trash {
+    special_use = \Trash
+{% if dovecot_special_mailbox_auto_subscribe %}
+    auto = subscribe
+{% endif %}
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+{% if dovecot_special_mailbox_auto_subscribe %}
+    auto = subscribe
+{% endif %}
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+
+  # If you have a virtual "All messages" mailbox:
+  #mailbox virtual/All {
+  #  special_use = \All
+  #  comment = All my messages
+  #}
+
+  # If you have a virtual "Flagged" mailbox:
+  #mailbox virtual/Flagged {
+  #  special_use = \Flagged
+  #  comment = All my flagged messages
+  #}
+}
diff --git a/dovecot/templates/conf.d/auth-system.conf.ext.j2 b/dovecot/templates/conf.d/auth-system.conf.ext.j2
new file mode 100644
index 0000000000000000000000000000000000000000..dadb9f7c9734f03d8a6b149afbb7a51213ee0f6c
--- /dev/null
+++ b/dovecot/templates/conf.d/auth-system.conf.ext.j2
@@ -0,0 +1,74 @@
+# Authentication for system users. Included from 10-auth.conf.
+#
+# <doc/wiki/PasswordDatabase.txt>
+# <doc/wiki/UserDatabase.txt>
+
+# PAM authentication. Preferred nowadays by most systems.
+# PAM is typically used with either userdb passwd or userdb static.
+# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
+# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
+passdb {
+  driver = pam
+  # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
+  # [cache_key=<key>] [<service name>]
+  #args = dovecot
+}
+
+# System users (NSS, /etc/passwd, or similar).
+# In many systems nowadays this uses Name Service Switch, which is
+# configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
+#passdb {
+  #driver = passwd
+  # [blocking=no]
+  #args = 
+#}
+
+# Shadow passwords for system users (NSS, /etc/shadow or similar).
+# Deprecated by PAM nowadays.
+# <doc/wiki/PasswordDatabase.Shadow.txt>
+#passdb {
+  #driver = shadow
+  # [blocking=no]
+  #args = 
+#}
+
+# PAM-like authentication for OpenBSD.
+# <doc/wiki/PasswordDatabase.BSDAuth.txt>
+#passdb {
+  #driver = bsdauth
+  # [blocking=no] [cache_key=<key>]
+  #args =
+#}
+
+##
+## User databases
+##
+
+# System users (NSS, /etc/passwd, or similar). In many systems nowadays this
+# uses Name Service Switch, which is configured in /etc/nsswitch.conf.
+userdb {
+  # <doc/wiki/AuthDatabase.Passwd.txt>
+  driver = passwd
+  # [blocking=no]
+  #args = 
+
+  # Override fields from passwd
+  #override_fields = home=/home/virtual/%u
+}
+
+# Static settings generated from template <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  # Can return anything a userdb could normally return. For example:
+  #
+  #  args = uid=500 gid=500 home=/var/mail/%u
+  #
+  # LDA and LMTP needs to look up users only from the userdb. This of course
+  # doesn't work with static userdb because there is no list of users.
+  # Normally static userdb handles this by doing a passdb lookup. This works
+  # with most passdbs, with PAM being the most notable exception. If you do
+  # the user verification another way, you can add allow_all_users=yes to
+  # the args in which case the passdb lookup is skipped.
+  #
+  #args =
+#}