diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 6cbf9c9..0fb2c26 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -2076,6 +2076,8 @@ nfs_exports: []
 
 copy_plain_files: []
 
+copy_plain_files_postfix_host_specific: []
+
 copy_plain_files_postfwd_host_specific: []
 
 copy_plain_files_postfix:
diff --git a/host_vars/b.mx.oopen.de.yml b/host_vars/b.mx.oopen.de.yml
index 1dd98a1..fc8ccba 100644
--- a/host_vars/b.mx.oopen.de.yml
+++ b/host_vars/b.mx.oopen.de.yml
@@ -99,22 +99,24 @@ copy_plain_files:
     dest_path: /root/bin/postfix/conf/whitelist_mb_sigs.conf
 
 
-copy_plain_files_postfwd_host_specific: []
+copy_plain_files_postfix_host_specific:
 
-#copy_plain_files_postfwd_host_specific:
-#  # Postfix Firewall postfwd
-#  #
-#  - name: postfwd.bl-sender
-#    src_path: b.mx/etc/postfix/postfwd.bl-sender
-#    dest_path: /etc/postfix/postfwd.bl-sender
-#
-#  - name: postfwd.bl-user
-#    src_path: b.mx/etc/postfix/postfwd.bl-user
-#    dest_path: /etc/postfix/postfwd.bl-user
-#
-#  - name: postfwd.wl-user
-#    src_path: b.mx/etc/postfix/postfwd.wl-user
-#    dest_path: /etc/postfix/postfwd.wl-user
+  - name: relay_domains
+    src_path: b.mx/etc/postfix/relay_domains
+    dest_path: /etc/postfix/relay_domains
+
+
+copy_plain_files_postfwd_host_specific:
+
+  # Postfix Firewall postfwd
+  #
+  - name: postfwd.wl-nets
+    src_path: b.mx/etc/postfix/postfwd.wl-nets
+    dest_path: /etc/postfix/postfwd.wl-nets
+
+  - name: postfwd.wl-sender
+    src_path: b.mx/etc/postfix/postfwd.wl-sender
+    dest_path: /etc/postfix/postfwd.wl-sender
 
 
 copy_template_files: []
diff --git a/host_vars/o13-mail.oopen.de.yml b/host_vars/o13-mail.oopen.de.yml
index beda813..88253cf 100644
--- a/host_vars/o13-mail.oopen.de.yml
+++ b/host_vars/o13-mail.oopen.de.yml
@@ -100,6 +100,69 @@ sudo_users:
 # see: roles/common/tasks/vars
 
 
+# ---
+# vars used by roles/common/tasks/copy_files.yml
+# ---
+
+copy_plain_files:
+
+  # /root/bin/monitoring
+  #
+  - name: monitoring_check_cert_for_dovecot.conf
+    src_path: o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
+    dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
+
+  - name: monitoring_check_webservice_load.conf
+    src_path: o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
+    dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
+
+  # /root/bin/postfix
+  #
+  - name: postfix_check-postfix-fatal-errors.conf
+    src_path: o13-mail/root/bin/postfix/conf/check-postfix-fatal-errors.conf
+    dest_path: /root/bin/postfix/conf/check-postfix-fatal-errors.conf
+
+
+copy_plain_files_postfwd_host_specific:
+
+  - name: header_checks.pcre
+    src_path: o13-mail/etc/postfix/header_checks.pcre
+    dest_path: /etc/postfix/header_checks.pcre
+
+  - name: postfwd.wl-hosts
+    src_path: o13-mail/etc/postfix/postfwd.wl-hosts
+    dest_path: /etc/postfix/postfwd.wl-hosts
+
+  - name: postfwd.wl-hosts
+    src_path: o13-mail/etc/postfix/postfwd.wl-hosts
+    dest_path: /etc/postfix/postfwd.wl-hosts
+
+  - name: postfwd.wl-nets
+    src_path: o13-mail/etc/postfix/postfwd.wl-nets
+    dest_path: /etc/postfix/postfwd.wl-nets
+
+  - name: postfwd.wl-sender
+    src_path: o13-mail/etc/postfix/postfwd.wl-sender
+    dest_path: /etc/postfix/postfwd.wl-sender
+
+  - name: postfwd.wl-user
+    src_path: o13-mail/etc/postfix/postfwd.wl-user
+    dest_path: /etc/postfix/postfwd.wl-user
+
+  # Postfix Firewall postfwd
+  #
+  #- name: postfwd.wl-user
+  #  src_path: o13-mail/etc/postfix/postfwd.wl-user
+  #  dest_path: /etc/postfix/postfwd.wl-user
+
+
+#copy_template_files: []
+#
+#  - name: mailsystem_install_amavis.conf
+#    src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2
+#    dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf
+
+
 # ---
 # vars used by roles/common/tasks/caching-nameserver.yml
 # ---
diff --git a/host_vars/o34.oopen.de.yml b/host_vars/o34.oopen.de.yml
index 543c09f..0a1ddd5 100644
--- a/host_vars/o34.oopen.de.yml
+++ b/host_vars/o34.oopen.de.yml
@@ -22,9 +22,9 @@ network_interface_required_packages:
 
 network_interfaces:
 
-  - device: eth0
+  - device: enp6s0
     # use only once per device (for the first device entry)
-    headline: eth0 - primary network interface
+    headline: enp6s0 - primary network interface
 
     # auto & allow are only used for the first device entry
     allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -34,9 +34,9 @@ network_interfaces:
     method: static
     hwaddress:
     description:
-    address: 195.128.100.83
-    netmask: 22
-    gateway: 195.128.100.1
+    address: 65.109.158.101
+    netmask: 26
+    gateway: 65.109.158.65
     metric:
     pointopoint:
     mtu:
@@ -64,9 +64,9 @@ network_interfaces:
     #    search: warenform.de
     #
     nameservers:
-      - 46.38.225.230
-      - 46.38.252.230
-      - 2a03:4000:8000::fce6
+      - 127.0.0.1
+      - 185.12.64.2
+      - 2a01:4ff:ff00::add:1
     search:
 
     # optional additional subnets/ips subnets: []
@@ -98,7 +98,7 @@ network_interfaces:
 
     # optional vlan settings | vlan: {}
     # vlan: {}
-    #   raw-device: 'eth0'
+    #   raw-device: 'enp6s0'
     vlan: {}
 
     # inline hook scripts
@@ -111,10 +111,10 @@ network_interfaces:
 
 
 
-  - device: eth0
+  - device: enp6s0
     family: inet6
     method: static
-    address: 2a03:4000:35:761:a438:21ff:fea0:11bc
+    address: 2a01:4f9:3080:155d::2
     netmask: 64
     gateway: fe80::1
 
@@ -151,7 +151,7 @@ network_interfaces:
 default_user:
 
   - name: chris
-    password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL.
+    password: $y$j9T$4tHDBpAXsLybUcR3EkGsN1$FztD35vOLJ2wkdcMMyWVjx7H6vCYAXK2Sik9RVx6iF6
     shell: /bin/bash
     ssh_keys:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@@ -162,7 +162,7 @@ default_user:
     user_id: 1050
     group_id: 1050
     group: sysadm
-    password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1
+    password: $y$j9T$yvoukGb.97d5zHhCyfsi81$AmUW40NQhF4guOF95AZ/wU52SxmU8pviyqTOKgssLJB
     shell: /bin/bash
     ssh_keys:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@@ -171,19 +171,17 @@ default_user:
   - name: localadmin
     user_id: 1051
     group_id: 1051
-    password: $6$flo5afeu$1Dn/tqIOJIFQbymCzpJk9BgGflQdy2Eg0nTiMBF7VefN7uY/Md1pV2yU0S47kZuH5aDjSdPfKzhHp8Aul/xx90
+    password: $y$j9T$jS87fYUjhgghnH3Z46quc1$Kc7ywLGc2XidgYNCT3J/cVy5.2JEATyB0oAwxzE92L7
     shell: /bin/bash
     ssh_keys:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
-      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFkl+5aVg4l40bxmf6k2dpopV8oAXyLhGGmKfzspW3GTfD29WjhuGS/mefrqr3tZRYrybPA5GDQ1QdwwRL16+6xfjAt/B62p3dMXnjsHalk74DTcQCZDlsj0UxTV1+gfOYzcB/CAqRd2wtB+vqGWRP+oGP3E7AIgoBlE44MaEDDuMP0Vvm8hNQ5N+/3zcrE626yDHAa4qmOd5d+J/HWrHLeJ4915g9VcCYCNGCgepb//4RdCpzEqUJiBGwihb/iJk3RoHcAv3L+tht8vmBF7Wz0iJ9BtLRTsJGFCkET0i50E18mU3bfaa7ov/PY/+UcE8FZSWZcoZ6AtmoBy0Zg2mp6/F9serfe67qtILNAbWD+qNRC7GjW3c5UvF5GJM6WvG8OZRvwarovZOU8uw1NLL3unY8O1bdihXmCXatXz+MvHCOvmZekUolKMBu7mziH5wificprUY9YeGX1FHVh4/hsL04zZdu/Q8Rr/BxM8+mJCCPsrkEoNnZNJfxCSwynd3jjqkhBpzZkEW9EGDBG5qnx4f6QPtcf/sv7eoNjzhEUs5k9GstbgW0ZD6381Ws/EpIdRbZUl52wFXalE8N/Z9hU6vfBC1xk0DIardUkZk+6lTsS8orBZkmPDNhX5hT8nmwNszQI0WgHPs+xDAdFskMcB/j20G5NupZm+2QgNXoww== jonas@meurer.it'
-      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCzd5rFYvV5/V2NZE4jxL09qZ4TTsgmhbfSHpsj9wX89+j7ZrfTAkAkAFxyrWs8FR3CQ11DGkrXW059a0ppRQ7R8bUW9CniXS/RaRAvqX9AMM9Xo/lmL4pXNM0sV4nHJWphi5Bc+zTIM2I4PSbHYw+5dDnj8ZIQ8ucBff+k29Zd90JRuKx72tk0pQNf7sQbWVKNCT/B4g4MJV84NvnO+ExCWvGM95Cy5NCTnQfO94/OSkN72R//tIR7Nd/aK7hEj69MoVJZrFy4qzE9KskLhKeUYCqoz86XOQ6Dfag/B2adTeG3r9DEacG3ao/ACZKQChj0X12LEV/PZUHLORqYpWIwMuIx54vhbxarSwlKhoOCv1XQJwo9BTavMhFNsMtZpAJYdvAakRCbf18bDrHyqYYqjAyYOp+L+G+wlSh3tz0qQL8aAnaV3RPN0fDd7Zu1dpMGAM2gMnBEMJ+k82V7EtACp1jf37LW11Lbv2o+dRUJEgsrU9TNGxaGSTWqGc65TuP9PUfDXq1ZNOPQWSK/KseqB0WUx6ePfZzkgkr7kGXT/d9hUSCq2+iprhfwQpYLcXE9XtCdo1aivIKQ8zCuR44q11HePyNtEMaJfq33p4uDTVOy7UOtuACzSbk6vs7h6h8CUGPwU9aw+PRiWY4Jdm0caJ8trFfH1R8XaIe3SaUEw== t@NB-003258-RLS'
 
   - name: back
     user_id: 1060
     group_id: 1060
     group: back
-    password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n.
+    password: $y$j9T$Q3MnSpKzmdfYWzmQVheWu/$7RcNMpDKF5aln1hk.5ReYfKSNUeRxfOj1yaHmo6YH95
     shell: /bin/bash
     ssh_keys:
       - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
diff --git a/host_vars/rage.so36.net.yml b/host_vars/rage.so36.net.yml
new file mode 100644
index 0000000..e7ee76c
--- /dev/null
+++ b/host_vars/rage.so36.net.yml
@@ -0,0 +1,131 @@
+---
+  
+# ---
+# vars used by roles/ansible_dependencies
+# ---
+
+
+# ---
+# vars used by roles/ansible_user
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/basic.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sshd.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/apt.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/users-systemfiles.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/webadmin-user.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/sudoers.yml
+# ---
+#
+# see: roles/common/tasks/vars
+
+
+# ---
+# vars used by roles/common/tasks/copy_files.yml
+# ---
+
+copy_plain_files:
+
+  # /root/bin/monitoring
+  #
+  - name: monitoring_check_cert_for_dovecot.conf
+    src_path: rage/root/bin/monitoring/conf/check_cert_for_dovecot.conf
+    dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
+
+  # /root/bin/postfix
+  #
+  - name: postfix_check-postfix-fatal-errors.conf
+    src_path: rage/root/bin/postfix/conf/check-postfix-fatal-errors.conf
+    dest_path: /root/bin/postfix/conf/check-postfix-fatal-errors.conf
+
+  - name: postfix_sent_userinfo_postfix.conf
+    src_path: rage/root/bin/postfix/conf/sent_userinfo_postfix.conf
+    dest_path: /root/bin/postfix/conf/sent_userinfo_postfix.conf
+
+  - name: postfix_get_number_of_deferred_mailqueue.conf
+    src_path: rage/root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf
+    dest_path: /root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf
+
+
+copy_plain_files_postfwd_host_specific:
+
+  - name: header_checks.pcre
+    src_path: rage/etc/postfix/header_checks.pcre
+    dest_path: /etc/postfix/header_checks.pcre
+
+  - name: postfwd.wl-hosts
+    src_path: rage/etc/postfix/postfwd.wl-hosts
+    dest_path: /etc/postfix/postfwd.wl-hosts
+
+  - name: postfwd.wl-hosts
+    src_path: rage/etc/postfix/postfwd.wl-hosts
+    dest_path: /etc/postfix/postfwd.wl-hosts
+
+  - name: postfwd.wl-nets
+    src_path: rage/etc/postfix/postfwd.wl-nets
+    dest_path: /etc/postfix/postfwd.wl-nets
+
+  - name: postfwd.wl-sender
+    src_path: rage/etc/postfix/postfwd.wl-sender
+    dest_path: /etc/postfix/postfwd.wl-sender
+
+  - name: postfwd.wl-user
+    src_path: rage/etc/postfix/postfwd.wl-user
+    dest_path: /etc/postfix/postfwd.wl-user
+
+  # Postfix Firewall postfwd
+  #
+  #- name: postfwd.wl-user
+  #  src_path: rage/etc/postfix/postfwd.wl-user
+  #  dest_path: /etc/postfix/postfwd.wl-user
+
+
+#copy_template_files: []
+#
+#  - name: mailsystem_install_amavis.conf
+#    src_path: usr/local/src/mailsystem/conf/install_amavis.conf.j2
+#    dest_path: /usr/local/src/mailsystem/conf/install_amavis.conf
+
+
+# ---
+# vars used by roles/common/tasks/caching-nameserver.yml
+# ---
+
+
+# ---
+# vars used by roles/common/tasks/git.yml
+# ---
+
+# ==============================
+
+
+# ---
+# vars used by scripts/reset_root_passwd.yml
+# ---
diff --git a/host_vars/zapata.opp.netz.yml b/host_vars/zapata.opp.netz.yml
index fc49bd5..c402235 100644
--- a/host_vars/zapata.opp.netz.yml
+++ b/host_vars/zapata.opp.netz.yml
@@ -329,7 +329,13 @@ samba_user:
       - beratung
     password: '20!lavinia*20'
 
-  - name: mahadi 
+  - name: magdalena
+    groups:
+      - buero
+      - beratung
+    password: 'magdalena_23'
+
+  - name: mahadi
     groups:
       - buero
       - beratung
diff --git a/hosts b/hosts
index d5a6457..393ac93 100644
--- a/hosts
+++ b/hosts
@@ -3,7 +3,7 @@
 #[so36_server_dehydrated]
 #comm.so36.net ansible_user=ckubu
 #noc.so36.net ansible_user=ckubu
-#rage.so36.net ansible_user=ckubu
+rage.so36.net ansible_user=ckubu
 #rubyhost.so36.net ansible_user=ckubu
 #sympa.so36.net ansible_user=ckubu
 #schleuder3.so36.net ansible_user=ckubu
@@ -183,6 +183,9 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 o35.oopen.de
 b.ns.oopen.de
 cl-02.oopen.de
@@ -342,6 +345,9 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # - o35.oopen.de
 o35.oopen.de
 b.ns.oopen.de
@@ -520,6 +526,9 @@ backup.oopen.de
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # o35.oopen.de
 cl-02.oopen.de
 e.mx.oopen.de
@@ -705,6 +714,9 @@ o26.oopen.de
 # etventure
 o32.oopen.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # o35.oopen.de
 etherpad.oopen.de
 web-02.oopen.de
@@ -774,7 +786,7 @@ lists.mx.warenform.de
 # so36.net
 # ---
 
-#rage.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
+rage.so36.net ansible_ssh_user=ckubu ansible_ssh_port=1036
 
 
 [sympa_list_server]
@@ -889,6 +901,9 @@ cloud.akweb.de
 # etventure
 o32.oopen.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # o35.oopen.de
 cl-02.oopen.de
 etherpad.oopen.de
@@ -967,6 +982,9 @@ backup.oopen.de
 # o30.oopen.de - AK server Jitsi Meet/Nextcloud
 cloud.akweb.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # o35.oopen.de
 cl-02.oopen.de
 
@@ -1019,6 +1037,9 @@ o22.oopen.de
 # o27.oopen.de
 mail.faire-mobilitaet.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # o35.oopen.de
 d.mx.oopen.de
 e.mx.oopen.de
@@ -1174,6 +1195,7 @@ o29.oopen.de
 o30.oopen.de
 o31.oopen.de
 o32.oopen.de
+o34.oopen.de
 o35.oopen.de
 o36.oopen.de
 
@@ -1286,6 +1308,9 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # o35.oopen.de
 cl-02.oopen.de
 e.mx.oopen.de
@@ -1467,6 +1492,9 @@ o32.oopen.de
 # BigBlueButton - O.OPEN
 o33.oopen.de
 
+# Nextcloud / DokuWiki VBER
+o34.oopen.de
+
 # - o35.oopen.de
 o35.oopen.de
 cl-02.oopen.de
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender b/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender
deleted file mode 100644
index efe38b9..0000000
--- a/roles/common/files/b.mx/etc/postfix/postfwd.bl-sender
+++ /dev/null
@@ -1,38 +0,0 @@
-# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
-
-# ---
-# Sender addresses blocked by postfwd
-#
-#    This file is called with '=~'. This means perl regexp is possible
-#
-#
-# To increase performance use ^ and/or $ in regular expressions
-#
-#  @acieu\.co\.uk$
-#  ^error@mailfrom.com$
-#
-# instedt of 
-#
-#  @acieu.co.uk
-#  error@mailfrom.com
-#
-#
-# Example:
-#
-#  #  # annoying spammer domains
-#  # block all senders of maildomaindomain 'oopen.de'
-#  @acieu\.co\.uk$
-#
-#  # annoying spammer addresses
-#  # block sender address 
-#  error@mailfrom.com
-#  sqek@eike\.se$
-#
-# ---
-
-# annoying spammer domains
-@acieu\.co\.uk$
-
-# annoying spammer addresses
-^error@mailfrom\.com$
-^sqek@eike\.se$
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-user b/roles/common/files/b.mx/etc/postfix/postfwd.bl-user
deleted file mode 100644
index 3ca2bb7..0000000
--- a/roles/common/files/b.mx/etc/postfix/postfwd.bl-user
+++ /dev/null
@@ -1,13 +0,0 @@
-# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
-
-# ---
-# SASL Users blocked by postfwd
-#
-# Example:
-#
-#   # give SASL usernames to block here
-#   ckubu@oopen.de
-#
-# ---
-
-# give SASL usernames to block here
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.cf b/roles/common/files/b.mx/etc/postfix/postfwd.cf
deleted file mode 100644
index d106016..0000000
--- a/roles/common/files/b.mx/etc/postfix/postfwd.cf
+++ /dev/null
@@ -1,172 +0,0 @@
-
-#======= Definitions ============
-
-# Match messages with an associated SASL username
-&&SASL_AUTH {
-    sasl_username!~^$
-}
-
-# Trusted networks
-&&TRUSTED_NETS {
-   client_address==file:/etc/postfix/postfwd.wl-nets
-}
-
-# Trusted hostnames
-#   client_name~=.warenform.de$
-&&TRUSTED_HOSTS {
-   client_name=~file:/etc/postfix/postfwd.wl-hosts
-}
-
-# Trusted users
-&&TRUSTED_USERS {
-    sasl_username==file:/etc/postfix/postfwd.wl-user
-}
-
-# Trusted senders
-&&TRUSTED_SENDERS {
-   sender=~file:/etc/postfix/postfwd.wl-sender
-}
-
-# Blacklist networks
-&&BLOCK_NETS {
-   client_address==file:/etc/postfix/postfwd.bl-nets
-}
-
-# Blacklist hostnames
-&&BLOCK_HOSTS {
-   client_name=~file:/etc/postfix/postfwd.bl-hosts
-}
-
-# Blacklist users
-&&BLOCK_USERS {
-   sasl_username==file:/etc/postfix/postfwd.bl-user
-}
-
-# Blacklist sender adresses
-&&BLOCK_SENDER {
-   # =~
-   # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
-   sender=~file:/etc/postfix/postfwd.bl-sender
-}
-
-# Inbound emails only
-&&INCOMING {
-    client_address!=127.0.0.1
-}
-
-
-#======= Rule Sets ============
-
-# ---
-#
-# Processing of the Rule Sets
-#
-# The parser checks the elements of a policy delegation request against the postfwd set
-# of rules and, if necessary, triggers the configured action (action=). Similar to a
-# classic firewall, a rule is considered true if every element of the set of rules (or
-# one from every element list) applies to the comparison. I.e. the following rule:
-#
-#    client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
-#
-# triggers a REJECT if the
-#
-#    Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
-#
-#
-# Note:
-#    If an element occurs more than once, an element list is formed:
-#
-# The following rule set is equivalent to the above:
-#
-#    client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
-#
-#
-# triggers a REJECT if (as above) the
-#
-#    Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
-#
-# ---
-
-# Whitelists
-
-# Whitelist trusted networks
-id=WHL_NETS
-   &&TRUSTED_NETS
-   action=DUNNO
-
-# Whitelist trusted hostnames
-id=WHL_HOSTS
-   &&TRUSTED_HOSTS
-   action=DUNNO
-
-# Whitelist sasl users
-id=WHL_USERS
-	&&TRUSTED_USERS
-	action=DUNNO
-
-# Whitelist senders
-id=WHL_SENDERS
-   &&INCOMING
-   &&TRUSTED_SENDERS
-   action=DUNNO
-
-
-# Blacklists
-
-# Block networks
-id=BL_NETS
-   &&BLOCK_NETS
-   action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
-
-# Block hostname
-id=BL_HOSTS
-   &&BLOCK_HOSTS
-   action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
-
-# Block users
-id=BL_USERS
-   &&BLOCK_USERS
-   action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
-
-# Blacklist sender
-#
-#    Claim successful delivery and silently discard the message.
-#
-id=BL_SENDER
-   &&BLOCK_SENDER
-   #action=DISCARD
-   action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
-
-
-# Rate Limits
-
-# Throttle unknown clients to 5 recipients per 5 minutes:
-id=RATE_UNKNOWN_CLIENT_ADDR
-   sasl_username =~ /^$/
-	client_name==unknown
-	action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
-
-# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
-id=RATE_CLIENT_ADDR
-    &&INCOMING
-    action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
-
-# Block messages with more than 50 recipients
-id=BLOCK_MSG_RCPT
-    &&INCOMING
-    &&SASL_AUTH
-	 recipient_count=50
-    action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
-
-# Block users sending more than 50 messages/hour
-id=RATE_MSG
-    &&INCOMING
-    &&SASL_AUTH
-    action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
-
-# Block users sending more than 250 recipients total/hour
-id=RATE_RCPT
-    &&INCOMING
-    &&SASL_AUTH
-    action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)
-
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets b/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets
index d194340..7ed94f9 100644
--- a/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets
+++ b/roles/common/files/b.mx/etc/postfix/postfwd.wl-nets
@@ -13,3 +13,7 @@
 # ---
 
 # give truested networrk adresses here
+
+# d.mx.oopen.de (listen server)
+95.217.204.227
+2a01:4f9:4a:47e5::227
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender b/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender
index d5c5acd..39cf74c 100644
--- a/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender
+++ b/roles/common/files/b.mx/etc/postfix/postfwd.wl-sender
@@ -19,4 +19,7 @@
 # ---
 
 # give trusted sender addresses here
+^noreply@login\.ubuntu\.com$
+^check_local_es_service@oolm-shop\.oopen\.de$
+^root@oolm-shop\.oopen\.de$
 
diff --git a/roles/common/files/b.mx/etc/postfix/relay_domains b/roles/common/files/b.mx/etc/postfix/relay_domains
new file mode 100644
index 0000000..fd1631b
--- /dev/null
+++ b/roles/common/files/b.mx/etc/postfix/relay_domains
@@ -0,0 +1,182 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+## - a.mx.oopen.de
+## -
+## -    create relay-domain list for host a.mx.oopen.de:
+## -        cd /var/vmail
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[a.mx.oopen.de]" ; done
+## -
+afa-ost.de                             :[a.mx.oopen.de]
+agberatung-berlin.org                  :[a.mx.oopen.de]
+aku-punkt-berlin.de                    :[a.mx.oopen.de]
+akweb.de                               :[a.mx.oopen.de]
+amberg-dolmetschen.de                  :[a.mx.oopen.de]
+anwaeltinnenbuero.info                 :[a.mx.oopen.de]
+anwaeltinnenbuero.net                  :[a.mx.oopen.de]
+anwaeltinnen.de                        :[a.mx.oopen.de]
+anwalthoffmann.de                      :[a.mx.oopen.de]
+anwalt-klinggraeff.de                  :[a.mx.oopen.de]
+anwalt-schrage.de                      :[a.mx.oopen.de]
+anw-nbg.de                             :[a.mx.oopen.de]
+azzellini.net                          :[a.mx.oopen.de]
+b3-bornim.de                           :[a.mx.oopen.de]
+behrens-boehlo.de                      :[a.mx.oopen.de]
+beitragen-statt-wegnehmen.de           :[a.mx.oopen.de]
+berliner-register.de                   :[a.mx.oopen.de]
+berlin-gegen-nazis.de                  :[a.mx.oopen.de]
+bildungswege.org                       :[a.mx.oopen.de]
+buelos.de                              :[a.mx.oopen.de]
+cacn.de                                :[a.mx.oopen.de]
+cakebook.de                            :[a.mx.oopen.de]
+christoph-mauler.de                    :[a.mx.oopen.de]
+commonground.community                 :[a.mx.oopen.de]
+fluechtlingsrat-brandenburg.de         :[a.mx.oopen.de]
+georgrohde.de                          :[a.mx.oopen.de]
+glx-consulting.com                     :[a.mx.oopen.de]
+groenlandpaddel-berlin.de              :[a.mx.oopen.de]
+gruppe-freital-nebenklage.de           :[a.mx.oopen.de]
+halbzwei.com                           :[a.mx.oopen.de]
+herrschaftskritik.org                  :[a.mx.oopen.de]
+il-pad.oopen.de                        :[a.mx.oopen.de]
+incredible-dharavi.org                 :[a.mx.oopen.de]
+jo.oopen.de                            :[a.mx.oopen.de]
+k8h.de                                 :[a.mx.oopen.de]
+kar-loh.de                             :[a.mx.oopen.de]
+kluuu.com                              :[a.mx.oopen.de]
+koma-elektronik.com                    :[a.mx.oopen.de]
+kottbusserdamm.net                     :[a.mx.oopen.de]
+lubax.de                               :[a.mx.oopen.de]
+mail-ga.de                             :[a.mx.oopen.de]
+mbr-berlin.de                          :[a.mx.oopen.de]
+meet2.oopen.de                         :[a.mx.oopen.de]
+meet.agberatung-berlin.org             :[a.mx.oopen.de]
+meet.akweb.de                          :[a.mx.oopen.de]
+meet.anwaeltinnenbuero.net             :[a.mx.oopen.de]
+meet.oopen.de                          :[a.mx.oopen.de]
+meet.reachoutberlin.de                 :[a.mx.oopen.de]
+mimecentrum.de                         :[a.mx.oopen.de]
+mossestrasse.de                        :[a.mx.oopen.de]
+netclimbers.de                         :[a.mx.oopen.de]
+nsu-nebenklage.de                      :[a.mx.oopen.de]
+oopen.de                               :[a.mx.oopen.de]
+opferperspektive.de                    :[a.mx.oopen.de]
+opra-gewalt.de                         :[a.mx.oopen.de]
+pankow-hilft.de                        :[a.mx.oopen.de]
+presserecht-bundesweit.de              :[a.mx.oopen.de]
+rajus.de                               :[a.mx.oopen.de]
+reachoutberlin.de                      :[a.mx.oopen.de]
+schule-herzogau.de                     :[a.mx.oopen.de]
+socialfiction.de                       :[a.mx.oopen.de]
+spangenberg-supervision.de             :[a.mx.oopen.de]
+spjw.de                                :[a.mx.oopen.de]
+tabumove.de                            :[a.mx.oopen.de]
+text-arbeit.net                        :[a.mx.oopen.de]
+traversata-film.de                     :[a.mx.oopen.de]
+vdk-berlin.de                          :[a.mx.oopen.de]
+ware-groesse.de                        :[a.mx.oopen.de]
+wissen-ist-relevant.de                 :[a.mx.oopen.de]
+www.oopen.de                           :[a.mx.oopen.de]
+zahlenkollektiv.org                    :[a.mx.oopen.de]
+
+
+## - Domains Ilker
+## -
+alem.social                            :[mail.alem.social]
+egilstein.de                           :[mail.alem.social]
+ungleichgesinnten.de                   :[mail.alem.social]
+
+## - mx.gemeinschaft-altenschlirf.de
+gemeinschaft-altenschlirf.de           :[mx.gemeinschaft-altenschlirf.de]
+gemeinschaft-altenschlirf.org          :[mx.gemeinschaft-altenschlirf.de]
+
+
+## - lists.oopen.de
+## -
+## -
+## -     create relay-domain list for listserver d.mx.oopen.de
+## -
+## -        cd /data/sympa/list_data
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[d.mx.oopen.de]" ; done
+## -
+lists.aktionsbuendnis-brandenburg.de   :[d.mx.oopen.de]
+lists.akweb.de                         :[d.mx.oopen.de]
+lists.bilgisaray.org                   :[d.mx.oopen.de]
+lists.cacn.de                          :[d.mx.oopen.de]
+lists.cadus.org                        :[d.mx.oopen.de]
+lists.faire-mobilitaet.de              :[d.mx.oopen.de]
+lists.fluechtlingsrat-brandenburg.de   :[d.mx.oopen.de]
+lists.gemeinschaft-altenschlirf.de     :[d.mx.oopen.de]
+lists.glx-consult.com                  :[d.mx.oopen.de]
+lists.initiativenserver.de             :[d.mx.oopen.de]
+lists.kar-loh.de                       :[d.mx.oopen.de]
+lists.mahalle.de                       :[d.mx.oopen.de]
+lists.mbr-berlin.de                    :[d.mx.oopen.de]
+lists.oopen.de                         :[d.mx.oopen.de]
+lists.pankow-hilft.de                  :[d.mx.oopen.de]
+lists.schule-in-not.de                 :[d.mx.oopen.de]
+lists.techworkersberlin.com            :[d.mx.oopen.de]
+lists.visionen-fuer-pankow.de          :[d.mx.oopen.de]
+
+
+## - c.mx.oopen.de
+## -
+## -    create relay-domain list for host ic.mx.oopen.de:
+## -        cd /var/vmail
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[c.mx.oopen.de]" ; done
+## -
+aktionsbuendnis-brandenburg.de         :[c.mx.oopen.de]
+brandenburg-nazifrei.de                :[c.mx.oopen.de]
+haus-der-demokratie-zossen.de          :[c.mx.oopen.de]
+initiativenserver.de                   :[c.mx.oopen.de]
+kurage.eu                              :[c.mx.oopen.de]
+willkommen-ohv.de                      :[c.mx.oopen.de]
+zossen-zeigt-gesicht.de                :[c.mx.oopen.de]
+
+
+## - so36 - schleuder lists
+## -
+cryptolists.so36.net                   :[schleuder3.so36.net]
+
+
+## - so36 maildomains
+## -
+## -    create relay-domain list for host rage.so36.net:
+## -        cd /var/vmail
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[rage.so36.net]" ; done
+## -
+absent-friends.org                     :[rage.so36.net]
+antifa.de                              :[rage.so36.net]
+antifa-versand.de                      :[rage.so36.net]
+archiv-kiel.de                         :[rage.so36.net]
+az-wuppertal.de                        :[rage.so36.net]
+bamm.de                                :[rage.so36.net]
+cilip.de                               :[rage.so36.net]
+dosto.de                               :[rage.so36.net]
+g20-doku.org                           :[rage.so36.net]
+hotmehl.com                            :[rage.so36.net]
+kamalatta.de                           :[rage.so36.net]
+kreta-film.net                         :[rage.so36.net]
+libertad.so36.net                      :[rage.so36.net]
+mail36.net                             :[rage.so36.net]
+oh21.de                                :[rage.so36.net]
+ostpack.de                             :[rage.so36.net]
+so36.net                               :[rage.so36.net]
+so36net.de                             :[rage.so36.net]
+socialforum-berlin.org                 :[rage.so36.net]
+speakerinnen.org                       :[rage.so36.net]
+uffmucken-schoeneweide.de              :[rage.so36.net]
+
+## - so36 lists on sympa.so36.net
+## -
+## -     create relay-domain list for listserver sympa.so36.net
+## -
+## -        cd /data/sympa/list_data
+## -        for _domain in $(ls) ; do [[ -d "$_domain" ]] && echo -e "$_domain\033[40G:[mx.lists36.net]" ; done
+## -
+lists36.net                            :[mx.lists36.net]
+lists.mail36.net                       :[mx.lists36.net]
+lists.so36.net                         :[mx.lists36.net]
+
+## - codecoop
+## -
+codecoop.org                           :[rage.so36.net]
diff --git a/roles/common/files/etc/sysctl.d/10-ddos.conf b/roles/common/files/etc/sysctl.d/10-ddos.conf
index dc0218b..1bcde6e 100644
--- a/roles/common/files/etc/sysctl.d/10-ddos.conf
+++ b/roles/common/files/etc/sysctl.d/10-ddos.conf
@@ -12,7 +12,8 @@ kernel.printk = 4 4 1 7
 kernel.panic = 10
 kernel.sysrq = 0
 kernel.shmmax = 4294967296
-kernel.shmall = 4194304
+#kernel.shmall = 4194304
+kernel.shmall = 134217728
 kernel.core_uses_pid = 1
 kernel.msgmnb = 65536
 kernel.msgmax = 65536
diff --git a/roles/common/files/mailserver/etc/postfix/header_checks.pcre b/roles/common/files/mailserver/etc/postfix/header_checks.pcre
index 2865d28..be59481 100644
--- a/roles/common/files/mailserver/etc/postfix/header_checks.pcre
+++ b/roles/common/files/mailserver/etc/postfix/header_checks.pcre
@@ -3,12 +3,18 @@
 # ---
 # - Replace headers
 
-# - Replace recieved from IPv4
+# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
+#
 #/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
-
-# - Replace recieved from IPv6
+#
 #/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
 
+# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
+#
+#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
+
+#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
+
 # ---
 # - Ignore Headers
 # ---
diff --git a/roles/common/files/mailserver/etc/postfix/header_checks.pcre.00 b/roles/common/files/mailserver/etc/postfix/header_checks.pcre.00
new file mode 100644
index 0000000..2865d28
--- /dev/null
+++ b/roles/common/files/mailserver/etc/postfix/header_checks.pcre.00
@@ -0,0 +1,37 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# - Replace headers
+
+# - Replace recieved from IPv4
+#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
+
+# - Replace recieved from IPv6
+#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
+
+# ---
+# - Ignore Headers
+# ---
+
+#/^\s*User-Agent/        IGNORE
+#/^\s*X-Enigmail/        IGNORE
+#/^\s*X-Mailer/          IGNORE
+#/^\s*X-Originating-IP/  IGNORE
+
+
+# ---
+# - Reject / Discard headers
+# ---
+
+/^To:.*<>/                    REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
+
+/\(envelope-from <>\)/        REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
+
+/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
+
+/^From:.*<>/                  REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
+
+/^Date: .* 19[0-9][0-9]/      REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
+/^Date: .* 200[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
+/^Date: .* 201[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
+/^Date: .* 2020/              REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
diff --git a/roles/common/files/o13-mail/etc/postfix/header_checks.pcre b/roles/common/files/o13-mail/etc/postfix/header_checks.pcre
new file mode 100644
index 0000000..a0ec32b
--- /dev/null
+++ b/roles/common/files/o13-mail/etc/postfix/header_checks.pcre
@@ -0,0 +1,43 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# - Replace headers
+
+# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
+#
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
+#
+/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
+
+# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
+#
+#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
+
+#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
+
+# ---
+# - Ignore Headers
+# ---
+
+#/^\s*User-Agent/        IGNORE
+#/^\s*X-Enigmail/        IGNORE
+#/^\s*X-Mailer/          IGNORE
+#/^\s*X-Originating-IP/  IGNORE
+
+
+# ---
+# - Reject / Discard headers
+# ---
+
+/^To:.*<>/                    REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
+
+/\(envelope-from <>\)/        REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
+
+/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
+
+/^From:.*<>/                  REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
+
+/^Date: .* 19[0-9][0-9]/      REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
+/^Date: .* 200[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
+/^Date: .* 201[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
+/^Date: .* 2020/              REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-hosts
similarity index 100%
rename from roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts
rename to roles/common/files/o13-mail/etc/postfix/postfwd.wl-hosts
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-nets b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-nets
similarity index 57%
rename from roles/common/files/b.mx/etc/postfix/postfwd.bl-nets
rename to roles/common/files/o13-mail/etc/postfix/postfwd.wl-nets
index e1db645..02ef1ed 100644
--- a/roles/common/files/b.mx/etc/postfix/postfwd.bl-nets
+++ b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-nets
@@ -1,7 +1,7 @@
 # *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
 
 # ---
-# Networks blocked by postfwd
+# Trusted networks whitelisted by postfwd
 #
 # Example:
 #
@@ -12,5 +12,7 @@
 #
 # ---
 
-# give networks to block here
-
+# give truested networrk adresses here
+# d.mx.oopen.de (listen server)
+95.217.204.227
+2a01:4f9:4a:47e5::227
diff --git a/roles/common/files/o13-mail/etc/postfix/postfwd.wl-sender b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-sender
new file mode 100644
index 0000000..70f2aea
--- /dev/null
+++ b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-sender
@@ -0,0 +1,23 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted senders whitelisted by postfwd
+#
+#    This file is called with '=~'. This means perl regexp is possible
+#
+#
+# To increase performance use ^ and/or $ in regular expressions
+#
+# Example:
+#
+#  # all senders of maildomaindomain 'oopen.de'
+#  @oopen\.de$
+#
+#  # sender address ckubu@oopen.de
+#  ^ckubu@oopen\.de$
+#
+# ---
+
+# give trusted sender addresses here
+^noreply@login\.ubuntu\.com$
+
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.wl-user b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-user
similarity index 89%
rename from roles/common/files/b.mx/etc/postfix/postfwd.wl-user
rename to roles/common/files/o13-mail/etc/postfix/postfwd.wl-user
index dc052f5..5eb068a 100644
--- a/roles/common/files/b.mx/etc/postfix/postfwd.wl-user
+++ b/roles/common/files/o13-mail/etc/postfix/postfwd.wl-user
@@ -12,5 +12,3 @@
 # ---
 
 # give trusted sasl usernames here
-
-kanzlei-kiel@b.mx.oopen.de
diff --git a/roles/common/files/o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
new file mode 100644
index 0000000..de2d3df
--- /dev/null
+++ b/roles/common/files/o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
@@ -0,0 +1,135 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#---------------------------------------
+#-----------------------------
+# Settings for script check_cert_for_dovecot.sh
+#-----------------------------
+#---------------------------------------
+
+# - service_domain
+# -
+# - The main domain for which the certificate was issued
+# -
+# - Example:
+# -    service_domain="a.mx.oopen.de"
+# -    service_domain="mail.cadus.org"
+# -    service_domain="mx.warenform.de"
+# -
+#service_domain=""
+service_domain="mail.interventionistische-linke.org"
+
+
+# - service_name
+# -
+# - Name of service.
+# -
+# - Note: this var will also be used to determin systemd service file
+# - or sysVinit script.
+# -
+# - Example: 
+# -    service_name="Mumble"
+# -    service_name="Prosody"
+# -
+# - Defaults to:
+# -    service_name="Dovecot"
+# -
+#service_name=""
+
+
+# - check_string_ps
+# -
+# - String wich (clearly) identifies the service at the process list (ps)
+# -
+# - Example:
+# -    check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
+# -    check_string_ps=""
+# -
+# - Defaults to:
+# -    check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
+# -
+#check_string_ps=""
+
+
+# - service_user
+# -
+# - User under which the service is running.
+# -
+# - Example:
+# -    service_user="mumble-server"
+# -    service_user="prosody"
+# -
+# - Defaults to:
+# -    service_user="prosody"
+# -
+#service_user=""
+
+
+# - service_group
+# -
+# - Group under which the service is running.
+# -
+# - Example:
+# -    service_group="mumble-server"
+# -    service_group="prosody"
+# -
+# - Defaults to:
+# -    service_group="prosody"
+# -
+#service_group=""
+
+
+# - cert_installed
+# -
+# - Locataion of certificate read by service
+# -
+# - Example:
+# -    cert_installed="/var/lib/mumble-server/fullchain.pem"
+# -    cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
+# -
+# - Defaults to:
+# -    /etc/dovecot/ssl/mailserver.crt
+# -
+#cert_installed=""
+
+
+# - key_installed
+# -
+# - Location of the key read by service
+# -
+# - Example:
+# -    key_installed="/var/lib/mumble-server/privkey.pem"
+# -    key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
+# -
+# - Defaults to:
+# -    /etc/dovecot/ssl/mailserver.key
+# -
+#key_installed=""
+
+
+# - cert_newest
+# -
+# - Location of the newest certificate.
+# -
+# - Example:
+# -    cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
+# -    cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
+# -
+# - Defaults to: 
+# -    /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
+# -
+#cert_newest=""
+
+
+# - key_newest
+# -
+# - Location of the newest Key
+# -
+# - Example:
+# -    key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
+# -    key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
+# -
+# - Defaults to:
+# -    /var/lib/dehydrated/certs/${service_domain}/privkey.pem
+# -
+#key_newest=""
+
diff --git a/roles/common/files/o13-mail/root/bin/monitoring/conf/check_webservice_load.conf b/roles/common/files/o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
new file mode 100644
index 0000000..c97f45e
--- /dev/null
+++ b/roles/common/files/o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
@@ -0,0 +1,178 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#---------------------------------------
+#-----------------------------
+# Settings
+#-----------------------------
+#---------------------------------------
+
+
+# ---
+# - LOGGING
+# -
+# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
+# - the output will be verbos. If running as cronjob, output will only be written, if warnings or 
+# - errors occurs.
+# ---
+
+
+# - What to check
+# -
+check_load=true
+check_mysql=false
+
+# - PostgreSQL
+# -
+# - NOT useful, if more than one PostgreSQL instances are running!
+# -
+check_postgresql=true
+
+check_apache=true
+check_nginx=false
+check_php_fpm=true
+check_redis=false
+check_website=false
+
+# - If service is not listen on 127.0.0.1/loclhost, curl check must
+# - be ommited
+# -
+# - Defaults to: ommit_curl_check_nginx=false
+# -
+#ommit_curl_check_nginx=false
+
+# - Is this a vserver guest machine?
+# -
+# - Not VSerber guest host does not support systemd!
+# -
+# - defaults to: vserver_guest=false
+# -
+#vserver_guest=false
+
+
+# - Additional Settings for check_mysql
+# -
+# - MySQL / MariaDB credentials
+# -
+# - Giving password on command line is insecure an sind mysql 5.5
+# - you will get a warning doing so.
+# - 
+# - Reading username/password fro file ist also possible, using MySQL/MariaDB
+# - commandline parameter '--defaults-file'.
+# - 
+# - Since Mysql Version 5.6, you can read username/password from
+# - encrypted file.
+# -
+# -    Create (encrypted) option file:
+# -    $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock  --user=root --password
+# -    $ Password:
+# -
+# -    Use of option file:
+# -    $ mysql --login-path=local ...
+# -
+# - Example
+# -    mysql_credential_args="--login-path=local"
+# -    mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
+# -    mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+# -
+mysql_credential_args=""
+
+
+# - Additional Settings for check_php_fpm
+# -
+# - On Linux Vserver System set
+# -    curl_check_host=localhost
+# -
+# - On LX-Container set
+# -    curl_check_host=127.0.0.1
+# -
+curl_check_host=127.0.0.1
+
+# - Which PHP versions should be supported by this script. If more than one,
+# - give a blank separated list
+# -
+# - Example:
+# -    php_versions="5.4 5.6 7.0 7.1"
+# -
+php_versions="8.1"
+
+# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
+# - set the value given in your ping.path setting here. Give ping_path also
+# - the concerning php_version in form
+# -    <php-version>:<ping-path>
+# -
+# - Multiple settings are possible, give a blank separated list.
+# -
+# - Example:
+# -
+# -    ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
+# -
+ping_path=""
+
+
+# - Additional Settings for check_website - checking (expected) website response
+# -
+# - example:
+# -    is_working_url="https://www.outoflineshop.de/"
+# -    check_string='ool-account-links'
+# -    include_cleanup_function=true
+# -    extra_alert_address="ilker@so36.net"
+# -    cleanup_function='
+# -    rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
+# -    rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
+# -    /usr/local/bin/redis-cli flushall > /dev/null 2>&1
+# -    if [[ "$?" = "0" ]]; then
+# -       ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
+# -    else
+# -       error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
+# -     fi
+# -    /etc/init.d/redis_6379 restart
+# -    if [[ "$?" = "0" ]]; then
+# -       ok "I restarted the redis service"
+# -       echo -e "\t[ Ok ]:    I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
+# -    else
+# -       error "Restarting the redis server failed!"
+# -       echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
+# -    fi
+# -    '
+# -
+is_working_url=''
+
+check_string=''
+
+include_cleanup_function=true
+
+# - An extra e-mail address, which will be informed, if the given check URL
+# - does not response as expected (check_string) AFTER script checking, restarting
+# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
+# -
+extra_alert_address=''
+
+# - php_version_of_working_url
+# -
+# - If given website (is_working_url) does not response as expected, this PHP FPM
+# - engines will be restarted.
+# -
+# - Type "None" if site does not support php
+# -
+# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
+# - will be restarted
+# -
+php_version_of_working_url=''
+
+# - Notice:
+# - If single qoutes "'" not needed inside cleanup function, then use single quotes
+# - to enclose variable "cleanup_function". Then you don't have do masquerade any 
+# - sign inside.
+# -
+# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
+# -
+cleanup_function='
+'
+
+
+# - E-Mail settings for sending script messages
+# -
+from_address="root@`hostname -f`"
+content_type='Content-Type: text/plain;\n charset="utf-8"'
+to_addresses="root"
+
diff --git a/roles/common/files/o13-mail/root/bin/postfix/conf/check-postfix-fatal-errors.conf b/roles/common/files/o13-mail/root/bin/postfix/conf/check-postfix-fatal-errors.conf
new file mode 100644
index 0000000..bc7a2cf
--- /dev/null
+++ b/roles/common/files/o13-mail/root/bin/postfix/conf/check-postfix-fatal-errors.conf
@@ -0,0 +1,54 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---------------------------------------------------------------
+# - Parameter Settings for script 'check-postfix-fatal-error.sh'.
+# ---------------------------------------------------------------
+
+# MAIL_LOG
+#
+# Full qualified path to the mail log-file
+#
+# Defaults to: MAIL_LOG=/var/log/mail.log
+#
+#MAIL_LOG="/var/log/mail.log"
+
+
+# ---
+# - E-Mail settings for sending script messages
+# ---
+
+# - company
+# -
+# - Example: company="Cadus e.V."
+# -
+# -  Defaults to:
+# -    company="O.OPEN"
+# -
+#company="O.OPEN"
+company="IL"
+
+# - sender_address
+# -
+# - Defaults to:
+# -    sender_address="${script_name%%.*}@$(hostname -f)"
+# -
+#sender_address="check-postfix-fatal-error@$(hostname -f)"
+
+# - content_type
+# -
+# - Defaults to:
+# -    content_type='Content-Type: text/plain;\n charset="utf-8"'
+# -
+#content_type='Content-Type: text/plain;\n charset="utf-8"'
+
+# - alert_email_addresses
+# -
+# - blank separated list of e-mail addresses
+#
+# - Example: alert_email_addresses="ckubu@oopen.de axel@warenform.net"
+# -
+# - Defaults to:
+# -    alert_email_addresses="ckubu@oopen.de"
+# -
+#alert_email_addresses="ckubu@oopen.de"
+
diff --git a/roles/common/files/rage/etc/postfix/header_checks.pcre b/roles/common/files/rage/etc/postfix/header_checks.pcre
new file mode 100644
index 0000000..88aa69f
--- /dev/null
+++ b/roles/common/files/rage/etc/postfix/header_checks.pcre
@@ -0,0 +1,43 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# - Replace headers
+
+# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
+#
+#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
+#
+#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
+
+# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
+#
+/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
+
+/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
+
+# ---
+# - Ignore Headers
+# ---
+
+#/^\s*User-Agent/        IGNORE
+#/^\s*X-Enigmail/        IGNORE
+#/^\s*X-Mailer/          IGNORE
+#/^\s*X-Originating-IP/  IGNORE
+
+
+# ---
+# - Reject / Discard headers
+# ---
+
+/^To:.*<>/                    REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
+
+/\(envelope-from <>\)/        REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
+
+/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
+
+/^From:.*<>/                  REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
+
+/^Date: .* 19[0-9][0-9]/      REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
+/^Date: .* 200[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
+/^Date: .* 201[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
+/^Date: .* 2020/              REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
diff --git a/roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts b/roles/common/files/rage/etc/postfix/postfwd.wl-hosts
similarity index 66%
rename from roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts
rename to roles/common/files/rage/etc/postfix/postfwd.wl-hosts
index 875dcf6..c425a4e 100644
--- a/roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts
+++ b/roles/common/files/rage/etc/postfix/postfwd.wl-hosts
@@ -1,7 +1,7 @@
 # *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
 
 # ---
-# hosts blocked by postfwd
+# Trusted hosts whitelisted by postfwd
 #
 #    This file is called with '=~'. This means perl regexp is possible
 #
@@ -10,13 +10,13 @@
 #
 # Example:
 #
-#  # block all hosts of domain 'oopen.de'
+#  # all hosts of domain 'oopen.de'
 #  \.oopen\.de$
 #
-#  # block host a.mx.oopen.de
+#  # host a.mx.oopen.de
 #  ^a\.mx\.oopen\.de$
 #
 # ---
 
-# give hostnames to blocke here
+# give truested hostnames here
 
diff --git a/roles/common/files/rage/etc/postfix/postfwd.wl-nets b/roles/common/files/rage/etc/postfix/postfwd.wl-nets
new file mode 100644
index 0000000..02ef1ed
--- /dev/null
+++ b/roles/common/files/rage/etc/postfix/postfwd.wl-nets
@@ -0,0 +1,18 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted networks whitelisted by postfwd
+#
+# Example:
+#
+#   # web0.warenform.de
+#   #83.223.86.76
+#   #2a01:30:0:505:286:96ff:fe4a:6ee
+#   #2a01:30:0:13:286:96ff:fe4a:6eee
+#
+# ---
+
+# give truested networrk adresses here
+# d.mx.oopen.de (listen server)
+95.217.204.227
+2a01:4f9:4a:47e5::227
diff --git a/roles/common/files/rage/etc/postfix/postfwd.wl-sender b/roles/common/files/rage/etc/postfix/postfwd.wl-sender
new file mode 100644
index 0000000..70f2aea
--- /dev/null
+++ b/roles/common/files/rage/etc/postfix/postfwd.wl-sender
@@ -0,0 +1,23 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted senders whitelisted by postfwd
+#
+#    This file is called with '=~'. This means perl regexp is possible
+#
+#
+# To increase performance use ^ and/or $ in regular expressions
+#
+# Example:
+#
+#  # all senders of maildomaindomain 'oopen.de'
+#  @oopen\.de$
+#
+#  # sender address ckubu@oopen.de
+#  ^ckubu@oopen\.de$
+#
+# ---
+
+# give trusted sender addresses here
+^noreply@login\.ubuntu\.com$
+
diff --git a/roles/common/files/rage/etc/postfix/postfwd.wl-user b/roles/common/files/rage/etc/postfix/postfwd.wl-user
new file mode 100644
index 0000000..5eb068a
--- /dev/null
+++ b/roles/common/files/rage/etc/postfix/postfwd.wl-user
@@ -0,0 +1,14 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# SASL Users whitelisted by postfwd
+#
+# example:
+#
+#    # give trusted sasl usernames here
+#    ckubu@oopen.de
+#    vertrieb@akweb.de
+#
+# ---
+
+# give trusted sasl usernames here
diff --git a/roles/common/files/rage/root/bin/monitoring/conf/check_cert_for_dovecot.conf b/roles/common/files/rage/root/bin/monitoring/conf/check_cert_for_dovecot.conf
new file mode 100644
index 0000000..d29889e
--- /dev/null
+++ b/roles/common/files/rage/root/bin/monitoring/conf/check_cert_for_dovecot.conf
@@ -0,0 +1,135 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#---------------------------------------
+#-----------------------------
+# Settings for script check_cert_for_dovecot.sh
+#-----------------------------
+#---------------------------------------
+
+# - service_domain
+# -
+# - The main domain for which the certificate was issued
+# -
+# - Example:
+# -    service_domain="a.mx.oopen.de"
+# -    service_domain="mail.cadus.org"
+# -    service_domain="mx.warenform.de"
+# -
+#service_domain=""
+service_domain="rage.so36.net"
+
+
+# - service_name
+# -
+# - Name of service.
+# -
+# - Note: this var will also be used to determin systemd service file
+# - or sysVinit script.
+# -
+# - Example: 
+# -    service_name="Mumble"
+# -    service_name="Prosody"
+# -
+# - Defaults to:
+# -    service_name="Dovecot"
+# -
+#service_name=""
+
+
+# - check_string_ps
+# -
+# - String wich (clearly) identifies the service at the process list (ps)
+# -
+# - Example:
+# -    check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
+# -    check_string_ps=""
+# -
+# - Defaults to:
+# -    check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
+# -
+#check_string_ps=""
+
+
+# - service_user
+# -
+# - User under which the service is running.
+# -
+# - Example:
+# -    service_user="mumble-server"
+# -    service_user="prosody"
+# -
+# - Defaults to:
+# -    service_user="prosody"
+# -
+#service_user=""
+
+
+# - service_group
+# -
+# - Group under which the service is running.
+# -
+# - Example:
+# -    service_group="mumble-server"
+# -    service_group="prosody"
+# -
+# - Defaults to:
+# -    service_group="prosody"
+# -
+#service_group=""
+
+
+# - cert_installed
+# -
+# - Locataion of certificate read by service
+# -
+# - Example:
+# -    cert_installed="/var/lib/mumble-server/fullchain.pem"
+# -    cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
+# -
+# - Defaults to:
+# -    /etc/dovecot/ssl/mailserver.crt
+# -
+#cert_installed=""
+
+
+# - key_installed
+# -
+# - Location of the key read by service
+# -
+# - Example:
+# -    key_installed="/var/lib/mumble-server/privkey.pem"
+# -    key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
+# -
+# - Defaults to:
+# -    /etc/dovecot/ssl/mailserver.key
+# -
+#key_installed=""
+
+
+# - cert_newest
+# -
+# - Location of the newest certificate.
+# -
+# - Example:
+# -    cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
+# -    cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
+# -
+# - Defaults to: 
+# -    /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
+# -
+#cert_newest=""
+
+
+# - key_newest
+# -
+# - Location of the newest Key
+# -
+# - Example:
+# -    key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
+# -    key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
+# -
+# - Defaults to:
+# -    /var/lib/dehydrated/certs/${service_domain}/privkey.pem
+# -
+#key_newest=""
+
diff --git a/roles/common/files/rage/root/bin/postfix/conf/check-postfix-fatal-errors.conf b/roles/common/files/rage/root/bin/postfix/conf/check-postfix-fatal-errors.conf
new file mode 100644
index 0000000..75eb558
--- /dev/null
+++ b/roles/common/files/rage/root/bin/postfix/conf/check-postfix-fatal-errors.conf
@@ -0,0 +1,55 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---------------------------------------------------------------
+# - Parameter Settings for script 'check-postfix-fatal-error.sh'.
+# ---------------------------------------------------------------
+
+# MAIL_LOG
+#
+# Full qualified path to the mail log-file
+#
+# Defaults to: MAIL_LOG=/var/log/mail.log
+#
+#MAIL_LOG="/var/log/mail.log"
+
+
+# ---
+# - E-Mail settings for sending script messages
+# ---
+
+# - company
+# -
+# - Example: company="Cadus e.V."
+# -
+# -  Defaults to:
+# -    company="O.OPEN"
+# -
+#company="O.OPEN"
+company="so36.NET e.V."
+
+# - sender_address
+# -
+# - Defaults to:
+# -    sender_address="${script_name%%.*}@$(hostname -f)"
+# -
+#sender_address="check-postfix-fatal-error@$(hostname -f)"
+
+# - content_type
+# -
+# - Defaults to:
+# -    content_type='Content-Type: text/plain;\n charset="utf-8"'
+# -
+#content_type='Content-Type: text/plain;\n charset="utf-8"'
+
+# - alert_email_addresses
+# -
+# - blank separated list of e-mail addresses
+#
+# - Example: alert_email_addresses="ckubu@oopen.de axel@warenform.net"
+# -
+# - Defaults to:
+# -    alert_email_addresses="ckubu@oopen.de"
+# -
+#alert_email_addresses="ckubu@oopen.de"
+alert_email_addresses="roots@so36.net"
+
diff --git a/roles/common/files/rage/root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf b/roles/common/files/rage/root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf
new file mode 100644
index 0000000..8152967
--- /dev/null
+++ b/roles/common/files/rage/root/bin/postfix/conf/get_number_of_deferred_mailqueue.conf
@@ -0,0 +1,27 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ----------------------------------------------------
+# ---
+# - Parameter Settings for script 'get_number_of_deferred_mailqueue.sh'.
+# ---
+# ----------------------------------------------------
+
+# -   notification_addresses
+# -
+# - Where to send notifications
+# -
+# - Defaults to argus@oopen.de
+# -
+notification_addresses="roots@so36.net"
+
+
+# - count_warn
+# -
+# - If number of deferred e-mails exceeds give parameter 'count_warn'
+# - an e-mail will be written to adresse(s) given at parameter
+# - 'notification_addresses'.
+# -
+# - Defaults to 100
+# -
+#count_warn=100
+
diff --git a/roles/common/files/rage/root/bin/postfix/conf/sent_userinfo_postfix.conf b/roles/common/files/rage/root/bin/postfix/conf/sent_userinfo_postfix.conf
new file mode 100644
index 0000000..7329af4
--- /dev/null
+++ b/roles/common/files/rage/root/bin/postfix/conf/sent_userinfo_postfix.conf
@@ -0,0 +1,94 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ----------------------------------------------------
+# ---
+# - Parameter Settings for script 'sent_userinfo_postfix.sh'.
+# ---
+# ----------------------------------------------------
+
+# - message_body_file
+# -
+# - Full path to file containing the user info. This file must contain 
+# - the message body WITHOUT e-mail headers. If file is placed in the
+# - 'files' directory use '${file_dir}/<file-name>'
+# -
+# - Defaults to '${file_dir}/sent_userinfo_postfix.message'
+# -
+#message_body_file="${file_dir}/sent_userinfo_postfix.message"
+
+
+# - email_from
+# -
+# - From Address of user info
+# -
+# - Example: 'oo@oopen.de'
+# -
+#email_from=""
+email_from="support@so36.net"
+
+
+# - email_from_org
+# -
+# - Example: email_from_org="O.OPEN"
+# -
+#email_from_org=""
+email_from_org="so36.NET e.V."
+
+
+# - db_type
+# -
+# - Type of Postfix Database
+# -
+# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
+# - 
+# - Defaults to: db_type="pgsql"
+# -
+#db_type="pgsql"
+
+# - db_name
+# -
+# - Database name for the postfix database
+# - 
+# - Defaults to: db_name="postfix"
+# -
+#db_name="postfix"
+
+# - mysql_credential_args (root access to MySQL Database)
+# -
+# - Example
+# -    mysql_credential_args="--login-path=local"
+# -    mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
+# -    mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+# -
+# - Defaults to:
+# -    '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
+# -    '/usr/local/mysql/sys-maint.cnf' otherwise
+# -
+#mysql_credential_args=""
+
+
+# - mail_user
+# -
+# - The owner of the mailbox directories and within the e-mails itself.
+# -
+# - defaults to mail_user="vmail"
+# -
+#mail_user="vmail"
+
+
+# - mail_group
+# -
+# - The group of the mailbox directories
+# -
+# - defaults to mail_group="vmail"
+# -
+#mail_group="vmail"
+
+
+# - mail_basedir - No more needed!
+# -
+# - The root directory where all mailbox-domains are located.
+# -
+# - Defaults to '/var/vmail'.
+# -
+#mail_basedir=/var/vmail
diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml
index 103fc9d..377b6be 100644
--- a/roles/common/tasks/basic.yml
+++ b/roles/common/tasks/basic.yml
@@ -105,7 +105,7 @@
     group: root
     owner: root
   when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
     - copy_plain_files_sysctl is defined
     - copy_plain_files_sysctl|length > 0
   tags:
@@ -122,7 +122,7 @@
   loop_control:
     label: 'dest: {{ item.name }}'
   when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
     - copy_plain_files_sysctl is defined
     - copy_plain_files_sysctl|length > 0
   tags:
@@ -139,7 +139,7 @@
   loop_control:
     label: 'dest: {{ item.name }}'
   when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
     - copy_additional_plain_files_sysctl is defined
     - copy_additional_plain_files_sysctl|length > 0
   tags:
diff --git a/roles/common/tasks/copy_files.yml b/roles/common/tasks/copy_files.yml
index 27285f0..6530577 100644
--- a/roles/common/tasks/copy_files.yml
+++ b/roles/common/tasks/copy_files.yml
@@ -1,6 +1,23 @@
 ---
 
+# ---
+# Some Checks
+# ---
 
+- name: Check if file '/etc/postfix/relay_domains' exists
+  stat:
+    path: /etc/postfix/relay_domains
+  register: relay_domains_actual
+
+- name: (copy_files.yml) Get checksum of '/etc/postfix/relay_domains'
+  set_fact:
+    relay_domains_sha1: "{{ relay_domains_actual.stat.checksum }}"
+  when:
+    - relay_domains_actual.stat.exists
+  
+# ---
+# Copy files - main 
+# ---
 
 - name: (copy_files.yml) Copy plain files
   copy:
@@ -36,6 +53,26 @@
   tags:
     - copy-files
     - copy-plain-files
+  notify: "Reload postfwd"
+
+- name: (copy_files.yml) Copy host specific plain files Postfix (/etc/postfix)
+  copy:
+    src: '{{ item.src_path }}'
+    dest: '{{ item.dest_path }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ copy_plain_files_postfix_host_specific }}"
+  loop_control:
+    label: 'dest: {{ item.name }}'
+  when: 
+    - inventory_hostname in groups['mail_server']
+    - copy_plain_files_postfix_host_specific is defined
+    - copy_plain_files_postfix_host_specific|length > 0
+  tags:
+    - copy-files
+    - copy-plain-files
+  notify: "Reload postfwd"
 
 - name: (copy_files.yml) Copy plain files Postfix Firewall (postfwd)
   copy:
@@ -92,3 +129,26 @@
   tags:
     - copy-files
     - copy-template-files
+
+# ---
+# Some final tasks
+# ---
+
+- name: Get checksum oif (possible upodated) file '/etc/postfix/relay_domains' exists
+  stat:
+    path: /etc/postfix/relay_domains
+  register: relay_domains_new
+
+- name: (copy_files.yml) Get checksum of '/etc/postfix/relay_domains'
+  set_fact:
+    relay_domains_sha1_new: "{{ relay_domains_new.stat.checksum }}"
+  when:
+    - relay_domains_new.stat.exists
+    
+- name: (copy_files.yml) Renew database /etc/postfix/relay_domains.db
+  shell: '/usr/sbin/postmap btree:/etc/postfix/relay_domains'
+  when:
+    - relay_domains_actual.stat.exists
+    - relay_domains_new.stat.exists
+    - relay_domains_actual.stat.checksum != relay_domains_new.stat.checksum
+  notify: "Reload postfwd"