diff --git a/roles/postfwd/handlers/main.yml b/roles/postfwd/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1713364b14363e162dff89eacdd252567d0c29e8
--- /dev/null
+++ b/roles/postfwd/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: reload postfwd
+  service: name=postfwd state=reloaded
+
diff --git a/roles/postfwd/tasks/main.yml b/roles/postfwd/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fe1eb58b462e4683ece1f63a4b217267965e2030
--- /dev/null
+++ b/roles/postfwd/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+
+- name: install postfwd
+  pacman: name=postfwd state=present
+
+- name: install postfwd.cf
+  template: src=postfwd.cf.j2 dest=/etc/postfwd/postfwd.cf owner=root group=root mode=600
+  notify:
+    - reload postfwd
+
+- name: start and enable postfwd
+  service: name=postfwd enabled=yes state=started
+
+
diff --git a/roles/postfwd/templates/postfwd.cf.j2 b/roles/postfwd/templates/postfwd.cf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..b6b4864d8653d96cf73201871b5b07765d5fccf9
--- /dev/null
+++ b/roles/postfwd/templates/postfwd.cf.j2
@@ -0,0 +1,29 @@
+# skip lower rate limiting for certain users
+# TODO: populate this from a variable if the feature is used
+&&SASL_WHITELIST {
+	sasl_username=devnull;
+};
+
+# skip lower rate limiting for certain users
+# sasl_username != doesn't work for whatever reason
+id=SaslWhitelist;
+	protocol_state==END-OF-MESSAGE;
+	&&SASL_WHITELIST;
+	action=rcpt(sasl_username/300/21600/REJECT You can only send to 300 recipients per 6h per user)
+
+# skip lower rate limiting for certain users
+id=SaslWhitelist2;
+	protocol_state==END-OF-MESSAGE;
+	&&SASL_WHITELIST;
+	action=dunno;
+
+# sasl_username != doesn't work for whatever reason
+id=RcptRate;
+	protocol_state==END-OF-MESSAGE;
+	sasl_username!~/^$/;
+	action=rcpt(sasl_username/100/21600/REJECT You can only send to 100 recipients per 6h per user)
+
+# this causes postfwd to log something for every mail; easier testing
+id=logging;
+	protocol_state==END-OF-MESSAGE;
+	action=dunno;