diff --git a/roles/mail/files/etc-dovecot-conf.d-10-ssl.conf b/roles/mail/files/etc-dovecot-conf.d-10-ssl.conf
new file mode 100644
index 0000000..fcebade
--- /dev/null
+++ b/roles/mail/files/etc-dovecot-conf.d-10-ssl.conf
@@ -0,0 +1,13 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+ssl_cert = </etc/ssl/mail.crt
+ssl_key = </etc/ssl/mail.key
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 16a7c2b..b89ed11 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -56,6 +56,9 @@
 - name: Copy dovecot config files - dovecot-mysql.conf
   template: src=dovecot-mysql.conf dest=/etc/dovecot/ owner=root mode=655
 
+- name: Copy dovecot config file - 10-ssl.conf
+  copy: src=etc-dovecot-conf.d-10-ssl.conf dest=/etc/dovecot/conf.d/10-ssl.conf owner=root mode=644
+
 - name: Copy postfixadmin config files - dbconfig.inc.php pfxadmin
   template: src=dbconfig.inc.php dest=/etc/postfixadmin/ owner=root mode=655