diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 29ccd7aa..62baa41b 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -312,10 +312,28 @@ service imap-login {
   process_limit = 10000
   vsz_limit = 1G
   user = dovenull
+  inet_listener imap_haproxy {
+    port = 10143
+    haproxy = yes
+  }
+  inet_listener imaps_haproxy {
+    port = 10993
+    ssl = yes
+    haproxy = yes
+  }
 }
 service pop3-login {
   service_count = 1
   vsz_limit = 1G
+  inet_listener pop3_haproxy {
+    port = 10110
+    haproxy = yes
+  }
+  inet_listener pop3s_haproxy {
+    port = 10995
+    ssl = yes
+    haproxy = yes
+  }
 }
 service imap {
   executable = imap imap-postlogin
diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index 89ba5dd9..0bb445d8 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -1,5 +1,8 @@
 # inter-mx with postscreen on 25/tcp
 smtp       inet  n       -       n       -       1       postscreen
+10025      inet  n       -       n       -       1       postscreen
+  -o postscreen_upstream_proxy_protocol=haproxy
+  -o syslog_name=haproxy
 smtpd      pass  -       -       n       -       -       smtpd
   -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
   -o smtpd_sasl_auth_enable=no
@@ -13,6 +16,13 @@ smtps    inet  n       -       n       -       -       smtpd
   -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
   -o tls_preempt_cipherlist=yes
   -o syslog_name=postfix/smtps
+10465    inet  n       -       n       -       -       smtpd
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
+  -o tls_preempt_cipherlist=yes
+  -o syslog_name=postfix/smtps-haproxy
 
 # smtpd with starttls on 587/tcp
 # TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
@@ -23,6 +33,14 @@ submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
   -o tls_preempt_cipherlist=yes
   -o syslog_name=postfix/submission
+10587      inet n       -       n       -       -       smtpd
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o smtpd_enforce_tls=yes
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
+  -o tls_preempt_cipherlist=yes
+  -o syslog_name=postfix/submission-haproxy
 
 # used by SOGo
 # smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
diff --git a/helper-scripts/docker-compose.override.yml.d/HAPROXY/docker-compose.override.yml b/helper-scripts/docker-compose.override.yml.d/HAPROXY/docker-compose.override.yml
new file mode 100644
index 00000000..9ebe4e96
--- /dev/null
+++ b/helper-scripts/docker-compose.override.yml.d/HAPROXY/docker-compose.override.yml
@@ -0,0 +1,19 @@
+##
+## Set haproxy_trusted_networks in Dovecots extra.conf!
+#ä
+
+version: '2.1'
+services:
+
+    dovecot-mailcow:
+      ports:
+        - "${IMAP_PORT_HAPROXY:-127.0.0.1:10143}:10143"
+        - "${IMAPS_PORT_HAPROXY:-127.0.0.1:10993}:10993"
+        - "${POP_PORT_HAPROXY:-127.0.0.1:10110}:10110"
+        - "${POPS_PORT_HAPROXY:-127.0.0.1:10995}:10995"
+
+    postfix-mailcow:
+      ports:
+        - "${SMTP_PORT_HAPROXY:-127.0.0.1:10025}:10025"
+        - "${SMTPS_PORT_HAPROXY:-127.0.0.1:10465}:10465"
+        - "${SUBMISSION_PORT_HAPROXY:-127.0.0.1:10587}:10587"