diff --git a/tasks/mail.yaml b/tasks/mail.yaml
index 2402eef..2f7c9d1 100644
--- a/tasks/mail.yaml
+++ b/tasks/mail.yaml
@@ -90,6 +90,38 @@
           requests:
             storage: 2Ti
 
+- name: Create a ConfigMap for encryption
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: certs
+        namespace: mail
+      data:
+        privkey.pem: "{{ mail_encryption_privkey }}"
+        pubkey.pem: "{{ mail_encryption_pubkey }}"
+
+- name: Create a ConfigMap for Dovecot
+  k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: dovecot
+        namespace: mail
+      data:
+        10-encryption.conf: |
+          # Enables mail_crypt for all services (pop3, pop3, etc)
+          mail_plugins = $mail_plugins mail_crypt
+          plugin {
+            mail_crypt_global_private_key = </certs/privkey.pem
+            mail_crypt_global_public_key = </certs/pubkey.pem
+            mail_crypt_save_version = 2
+          }
+
 - name: Create a deployment
   k8s:
     definition:
@@ -141,8 +173,13 @@
                   seccompProfile:
                     type: RuntimeDefault
                 volumeMounts:
+                  - name: certs
+                    mountPath: /certs
                   - name: config
                     mountPath: /tmp/docker-mailserver
+                  - name: dovecot
+                    mountPath: /etc/dovecot/conf.d/10-encryption.conf
+                    subPath: 10-encryption.conf
                   - name: ssl
                     mountPath: /etc/letsencrypt
                   - name: mail
@@ -207,6 +244,9 @@
                   - name: SSL_KEY_PATH
                     value: "/etc/letsencrypt/tls.key"
             volumes:
+              - name: certs
+                configMap:
+                  name: certs
               - name: ssl
                 secret:
                   secretName: mail
@@ -219,6 +259,9 @@
               - name: dkim
                 persistentVolumeClaim:
                   claimName: dkim
+              - name: dovecot
+                configMap:
+                  name: dovecot
 
 - name: Expose deployment as a service
   k8s: