diff --git a/host_vars/gabriel.c3heaven.de b/host_vars/gabriel.c3heaven.de
new file mode 100644
index 0000000000000000000000000000000000000000..709b12816cf0847a3b5ec96e1d726944a1d2f58c
--- /dev/null
+++ b/host_vars/gabriel.c3heaven.de
@@ -0,0 +1,42 @@
+acmetool_cert_domains:
+ - gabriel.c3heaven.de
+ - c3heaven.de
+ - lists.c3heaven.de
+ - wiki.c3heaven.de
+
+nginx_http_locations:
+ - location: "/"
+   config: |
+     access_log off;
+     log_not_found off;
+     return 301 https://$host$request_uri;
+
+nginx_https_default_headers:
+ - name: "Strict-Transport-Security"
+   value: "max-age=31536000; includeSubDomains"
+ - name: "X-XSS-Protection"
+   value: "1; mode=block"
+ - name: "X-Frame-Options"
+   value: "DENY"
+ - name: "X-Content-Type-Options"
+   value: "nosniff"
+ - name: "Referrer-Policy"
+   value: "same-origin"
+
+rspamd_enabled: true
+
+postfix_mydestination: "localhost, $myhostname, c3heaven.de"
+postfix_myorigin: "c3heaven.de"
+postfix_generic_map:
+ - "www-data@c3heaven.de noreply@c3heaven.de"
+postfix_additional_admin_aliases:
+ - shift
+ - shifts
+ - ticket
+postfix_alias_maps:
+ - "hash:/etc/aliases"
+ - "hash:/var/lib/mailman/data/aliases"
+postfix_virtual_alias_domains:
+ - "lists.c3heaven.de"
+postfix_virtual_alias_maps:
+ - "hash:/var/lib/mailman/data/virtual-mailman"
diff --git a/roles/nginx-https/templates/https-site.j2 b/roles/nginx-https/templates/https-site.j2
index e24fb3cbd14e1b08cbbd627ebeddef59a638d924..45d8e7783d7367c0e9a1ccc51c2e5b34e86f9e09 100644
--- a/roles/nginx-https/templates/https-site.j2
+++ b/roles/nginx-https/templates/https-site.j2
@@ -16,13 +16,13 @@ server {
 
 {% if nginx_https_default_headers %}
 {% for header in nginx_https_default_headers %}
-  add_header {{ header }};
+  add_header {{ header.name }} "{{ header.value }}";
 {% endfor %}
 {% endif %}
 
 {% if item.headers %}
 {% for header in item.headers %}
-  add_header {{ header }};
+  add_header {{ header.name }} "{{ header.value }}";
 {% endfor %}
 {% endif %}
 
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
index 39e9ae37b04615310170dafe6a52f8c0bec8daca..9105874fec8db1c1442c71678b140a8a9d95201a 100644
--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
@@ -1,3 +1,5 @@
+postfix_mydestination: "localhost, $myhostname"
+postfix_myorigin: null
 postfix_alias_maps:
  - "hash:/etc/aliases"
 postfix_virtual_alias_domains: []
@@ -8,6 +10,4 @@ postfix_tls_high_cipherlist: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-S
 postfix_smtpd_tls_mandatory_protocols: "TLSv1.2"
 postfix_ssl_dhparam: "/etc/postfix/dh_2048.pem"
 postfix_ssl_dhparam_bits: 2048
-
-opendkim_enabled: false
-
+postfix_additional_admin_aliases: []
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index 3c53c32d915645e07bf72610fb21fe50d1e60c7c..816869d65ab2846a35179dadee9a26eeb7d73f2c 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,7 +1,10 @@
+- name: newaliases
+  command: newaliases
+
+- name: postmap generic
+  command: postmap /etc/postfix/generic
+
 - name: restart postfix
   systemd:
     name: postfix
     state: restarted
-
-- name: newaliases
-  command: newaliases
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 4c8b97660568c418d80be5b80a3d9b7edfd921bb..abc4897fabc9a758a749b0bd7de6c70510e21e36 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -26,3 +26,9 @@
     src: "aliases.j2"
     dest: "/etc/aliases"
   notify: newaliases
+
+- name: configure generic map
+  template:
+    src: "generic.j2"
+    dest: "/etc/postfix/generic"
+  notify: postmap generic
diff --git a/roles/postfix/templates/aliases.j2 b/roles/postfix/templates/aliases.j2
index 89a3919becd1a2ed65b3f389bbaeef4f816d9517..9d96228744af3849a68668e6a559fcc7eecf06bc 100644
--- a/roles/postfix/templates/aliases.j2
+++ b/roles/postfix/templates/aliases.j2
@@ -11,3 +11,10 @@ security: admins
 postmaster: admins
 webmaster: admins
 root: admins
+
+{% if postfix_additional_admin_aliases %}
+# additional admin aliases
+{% for alias in postfix_additional_admin_aliases %}
+{{ alias }}: admins
+{% endfor %}
+{% endif %}
diff --git a/roles/postfix/templates/generic.j2 b/roles/postfix/templates/generic.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4a2a21ff34274fabca8a9af4cabe2afa28496a61
--- /dev/null
+++ b/roles/postfix/templates/generic.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for line in postfix_generic_map %}
+{{ line }}
+{% endfor %}
diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2
index 2c5630d37e425ec1eaca5fd7aa7b729203f940e2..e8a84963111d1a749cae218a197818d8144dee5f 100644
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -5,25 +5,40 @@ biff = no
 compatibility_level = 2
 
 myhostname = {{ inventory_hostname }}
-mydestination = localhost, $myhostname
+mydestination = {{ postfix_mydestination }}
+{% if postfix_myorigin %}
+myorigin = {{ postfix_myorigin }}
+{% endif %}
 
+show_user_unknown_table_name = no
 alias_database = hash:/etc/aliases
 alias_maps = {{ postfix_alias_maps|join(', ') }}
-{% if postfix_virtual_alias_domains %}virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}{% endif %}
-{% if postfix_virtual_alias_maps %}virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}{% endif %}
+{% if postfix_virtual_alias_domains %}
+virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}
+{% endif %}
+{% if postfix_virtual_alias_maps %}
+virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}
+{% endif %}
 
 inet_interfaces = all
 inet_protocols = ipv6, ipv4
 
+{% if rspamd_enabled %}
+smtpd_milters = inet:localhost:11332
+non_smtpd_milters = inet:localhost:11332
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_default_action = accept
+{% endif %}
+
 mailbox_size_limit = {{ postfix_mailbox_size_limit }}
 message_size_limit = {{ postfix_message_size_limit }}
-{% if opendkim_enabled %}non_smtpd_milters = inet:localhost:11332{% endif %}
 
 tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
 
 smtp_tls_security_level = may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_use_tls = yes
+smtp_generic_maps = hash:/etc/postfix/generic
 
 smtpd_banner = $myhostname loves ESMTP
 smtpd_tls_cert_file=/var/lib/acme/live/{{ inventory_hostname }}/fullchain