diff --git a/cmdeploy/src/cmdeploy/opensmtpd/smtpd.conf.j2 b/cmdeploy/src/cmdeploy/opensmtpd/smtpd.conf.j2
new file mode 100644
index 0000000..319122b
--- /dev/null
+++ b/cmdeploy/src/cmdeploy/opensmtpd/smtpd.conf.j2
@@ -0,0 +1,30 @@
+###
+# Options
+queue	compression
+queue	encryption				5f8683f56925a520df1847dd2e1e87f3 # Generate with openssl rand -hex 16
+smtp	max-message-size		30M
+smtp	ciphers					"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"
+
+###
+# PKI
+pki	{{ config.mail_domain }}	cert	/var/lib/acme/live/{{ config.mail_domain }}/fullchain
+pki	{{ config.mail_domain }}	key		/var/lib/acme/live/{{ config.mail_domain }}/privkey
+pki	{{ config.mail_domain }}	dhe		auto
+
+###
+# Tables
+table	aliases					file:/etc/mail/aliases
+table	users					file:/etc/mail/users
+table	passdb					file:/etc/mail/passdb
+table	local					{ "{{ config.mail_domain }}" }
+
+###
+# Connections
+listen on egress port 25 tls pki {{ config.mail_domain }} tag MTA
+listen on egress port 465 smtps pki {{ config.mail_domain }} auth <passdb> received-auth mask-src tag MSA
+listen on egress port 587 tls-require pki {{ config.mail_domain }} auth <passdb> received-auth mask-src tag MSA
+
+###
+# Actions
+action	"forward"				forward-only alias <aliases>
+action	"mda"					mda "/usr/local/libexec/dovecot/dovecot-lda -a %{rcpt} -d %{dest} -f %{mbox.from}" virtual <users> wrapper "dovecot"