diff --git a/library/roles/postfix/defaults/main.yml b/library/roles/postfix/defaults/main.yml
index cd19e64..fdf25b7 100644
--- a/library/roles/postfix/defaults/main.yml
+++ b/library/roles/postfix/defaults/main.yml
@@ -44,9 +44,9 @@ postfix_smtp_relay_user: '{{ ansible_fqdn }}'
 # This one has to be set inside a vault file
 #postfix_smtp_relay_pwd: 'set_you_password_here_in_a_vault_encrypted_file'
 postfix_smtpd_reject_unknown_helo_hostname: False
-
+postfix_reject_unknown_sender_domain: True
 #############################################################################
-# Relay server: accept authenticated clients
+# Relay server: accepts authenticated clients
 #############################################################################
 postfix_relay_server: False
 #
@@ -62,6 +62,10 @@ postfix_milter_action: tempfail
 # SMTP server that not accept authenticated clients. 
 #############################################################################
 postfix_smtpd_server: False
+#############################################################################
+# SMTP submission server: accepts authenticated clients
+#############################################################################
+postfix_submission_server: False
 ###########################################################################################
 # The following options are used when acting as a relay or as a general purpose SMTP server
 ###########################################################################################
diff --git a/library/roles/postfix/tasks/smtp-common-packages.yml b/library/roles/postfix/tasks/smtp-common-packages.yml
index d36d22e..5db5e32 100644
--- a/library/roles/postfix/tasks/smtp-common-packages.yml
+++ b/library/roles/postfix/tasks/smtp-common-packages.yml
@@ -39,7 +39,7 @@
       register: postfix_network_table_status
 
   when: postfix_install_packages | bool
-  tags: postfix
+  tags: [ 'postfix', 'postfix_conf' ]
 
 - block:
     - name: Ensure that postfix is started and enabled
@@ -56,7 +56,7 @@
   when:
     - postfix_install_packages | bool
     - postfix_enabled | bool
-  tags: postfix
+  tags: [ 'postfix', 'postfix_conf' ]
 
 - block:
     - name: Ensure that postfix is stopped and disabled
diff --git a/library/roles/postfix/templates/main.cf.j2 b/library/roles/postfix/templates/main.cf.j2
index 4501ebb..38ad03f 100644
--- a/library/roles/postfix/templates/main.cf.j2
+++ b/library/roles/postfix/templates/main.cf.j2
@@ -486,6 +486,8 @@ virtual_mailbox_domains = {{ postfix_virtual_mailbox_domains }}
 virtual_mailbox_maps = {% for mbmap in postfix_virtual_mailbox_maps %}{{ mbmap }} {% endfor %}
 
 virtual_alias_maps = {% for mbmap in postfix_virtual_alias_maps %}{{ mbmap }} {% endfor %}
+
+virtual_mailbox_limit = {{ postfix_message_size_limit }}
 {% endif %}
 
 # The luser_relay parameter specifies an optional destination address
@@ -536,6 +538,7 @@ smtpd_delay_reject = yes
 smtpd_helo_required = yes
 
 mailbox_size_limit = {{ postfix_message_size_limit }}
+message_size_limit = {{ postfix_message_size_limit }}
 
 {% if postfix_use_milter %}
 #
@@ -563,27 +566,37 @@ smtpd_milters =
 smtpd_client_restrictions =
    permit_mynetworks
    permit_inet_interfaces
+{% if postfix_submission_server %}
+   permit_sasl_authenticated
+{% endif %}
+   reject
+{% if postfix_submission_server %}
 smtpd_sasl_path = smtpd
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_security_options = {{ postfix_smtp_sasl_security_options }}
 smtpd_sasl_tls_security_options = {{ postfix_smtp_sasl_tls_security_options }}
 smtpd_sasl_authenticated_header = yes
 broken_sasl_auth_clients = yes
-smtpd_helo_required = yes
+# Block clients that speak too early.
+smtpd_data_restrictions = reject_unauth_pipelining
+{% endif %}
 {% if postfix_smtpd_reject_unknown_helo_hostname %}
 # Don't talk to mail systems that don't know their own hostname. Use with care: it breaks most dialup setups
 smtpd_helo_restrictions = reject_unknown_helo_hostname
 {% endif %}
-# Block clients that speak too early.
-smtpd_data_restrictions = reject_unauth_pipelining
-# Our internal servers talk to the submission port so they are treated as clients
-smtpd_client_restrictions = permit_inet_interfaces, permit_sasl_authenticated, reject
+{% if postfix_reject_unknown_sender_domain %}
 # Don't accept mail from domains that don't exist.
 smtpd_sender_restrictions = reject_unknown_sender_domain
+{% endif %}
+{% if postfix_submission_server %}
 # Relay control: local clients and
 # authenticated clients may specify any destination domain.
 smtpd_relay_restrictions = permit_sasl_authenticated, reject
 {% endif %}
+{% if postfix_behind_haproxy %}
+smtpd_upstream_proxy_protocol=haproxy
+{% endif %}
+{% endif %}
 
 # FAST ETRN SERVICE
 #
diff --git a/library/roles/postfix/templates/master.cf.j2 b/library/roles/postfix/templates/master.cf.j2
index 12b71d1..303253d 100644
--- a/library/roles/postfix/templates/master.cf.j2
+++ b/library/roles/postfix/templates/master.cf.j2
@@ -8,12 +8,14 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
+{% if postfix_smtpd_server %}
 smtp      inet  n       -       n       -       -       smtpd
+{% endif %}
 #smtp      inet  n       -       n       -       1       postscreen
 #smtpd     pass  -       -       n       -       -       smtpd
 #dnsblog   unix  -       -       n       -       0       dnsblog
 #tlsproxy  unix  -       -       n       -       0       tlsproxy
-{% if postfix_smtpd_server %}
+{% if postfix_submission_server %}
 submission inet n       -       n       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level={{ postfix_smtpd_tls_security_level }}