diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix
index 91939cf..bfae2c4 100644
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@@ -27,6 +27,27 @@ let
     default_pass_scheme = CRYPT
   '';
 
+  ldapConfigFallback = pkgs.writeText "dovecot-ldap-fallback.conf" ''
+    hosts = ldap.cloonar.com
+    tls = yes
+    dn = "cn=vmail,ou=system,ou=users,dc=cloonar,dc=com"
+    dnpass = "@ldap-password@"
+    auth_bind = no
+    ldap_version = 3
+    base = ou=users,dc=cloonar,dc=com
+    user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
+    user_attrs = \
+      quota=quota_rule=*:bytes=%$, \
+      =home=/var/vmail/%d/%n/, \
+      =mail=maildir:/var/vmail/%d/%n/Maildir
+    pass_attrs = mail=user,userPassword=password
+    pass_filter = (&(objectClass=mailAccount)(mail=%u))
+    iterate_attrs = =user=%{ldap:mail}
+    iterate_filter = (objectClass=mailAccount)
+    scope = subtree
+    default_pass_scheme = CRYPT
+  '';
+
   doveSync = pkgs.writeShellScriptBin "dove-sync.sh" ''
     #!/usr/bin/env bash
     SERVER=''${1}
@@ -59,6 +80,10 @@ let
     doveadm user *@docfast.dev | while read user; do
     doveadm -v sync -u $user $SERVER
     done
+
+    doveadm user *@macher.solutions | while read user; do
+    doveadm -v sync -u $user $SERVER
+    done
   '';
 
   quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" ''
@@ -157,6 +182,14 @@ in
         args = /run/dovecot2/ldap.conf
         driver = ldap
       }
+      userdb {
+        args = /run/dovecot2/ldap-fallback.conf
+        driver = ldap
+      }
+      passdb {
+        args = /run/dovecot2/ldap-fallback.conf
+        driver = ldap
+      }
 
       service imap-login {
         client_limit = 1000
@@ -247,6 +280,7 @@ in
 
   systemd.services.dovecot.preStart = ''
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
+    sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfigFallback} > /run/dovecot2/ldap-fallback.conf
   '';
 
   systemd.services.dovecot = {
diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index bb76d7a..600fc4f 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -50,6 +50,7 @@ in
               by self write
               by anonymous auth
               by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * none
@@ -290,6 +291,42 @@ in
         ];
       };
 
+      "olcDatabase={3}mdb".attrs = {
+        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+        olcDatabase = "{3}mdb";
+        olcDbDirectory = "/var/lib/openldap/data";
+
+        olcSuffix = "dc=macher,dc=solutions";
+
+        olcAccess = [
+          ''
+            {0}to attrs=userPassword
+              by self write
+              by anonymous auth
+              by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * none
+          ''
+          ''
+            {1}to attrs=pgpPublicKey
+              by self write
+              by anonymous read
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+          ''
+            {2}to *
+              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
+              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
+              by * read
+          ''
+        ];
+      };
+
       "olcDatabase={5}mdb".attrs = {
         objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
 
diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index 8511430..5085f4b 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -78,10 +78,67 @@ let
     debuglevel        = 0
   '';
 
+  mailboxesFallback = pkgs.writeText "mailboxes-fallback.cf" ''
+    server_host       = ldap://${ldapServer}
+    search_base       = ou=users,dc=cloonar,dc=com
+    version           = 3
+    bind              = yes
+    start_tls         = yes
+    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
+    bind_pw           = @ldap-password@
+    scope             = sub
+    query_filter      = (&(mail=%s)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
+    result_attribute  = mail
+    debuglevel        = 0
+  '';
+
+  accountsmapFallback = pkgs.writeText "accountsmap-fallback.cf" ''
+    server_host       = ldap://${ldapServer}
+    search_base       = ou=users,dc=cloonar,dc=com
+    version           = 3
+    bind              = yes
+    start_tls         = yes
+    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
+    bind_pw           = @ldap-password@
+    scope             = sub
+    query_filter      = (&(objectClass=mailAccount)(mail=%s))
+    result_attribute  = mail
+    debuglevel        = 0
+  '';
+
+  aliasesFallback = pkgs.writeText "aliases-fallback.cf" ''
+    server_host       = ldap://${ldapServer}
+    search_base       = ou=aliases,dc=cloonar,dc=com
+    version           = 3
+    bind              = yes
+    start_tls         = yes
+    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
+    bind_pw           = @ldap-password@
+    scope             = one
+    query_filter      = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
+    result_attribute  = maildrop
+    debuglevel        = 0
+  '';
+
+  senderLoginMapsFallback = pkgs.writeText "sender_login_maps-fallback.cf" ''
+    server_host       = ldap://${ldapServer}
+    search_base       = dc=cloonar,dc=com
+    version           = 3
+    bind              = yes
+    start_tls         = yes
+    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
+    bind_pw           = @ldap-password@
+    scope             = sub
+    query_filter      = (|(&(objectClass=mailAccount)(mail=%s))(&(objectClass=mailAlias)(mail=%s)))
+    result_attribute  = maildrop, mail
+    debuglevel        = 0
+  '';
+
   helo_access = pkgs.writeText "helo_access" ''
     /^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
     cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
     ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
+    macher.solutions REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
   '';
 in
 {
@@ -116,10 +173,10 @@ in
       # smtp_bind_address6 = "2a01:4f9:2b:1605::1";
       mailbox_transport = "lmtp:unix:private/dovecot-lmtp";
       virtual_mailbox_domains = "ldap:/run/postfix/domains.cf";
-      virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf";
-      virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/aliases.cf";
+      virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf,ldap:/run/postfix/mailboxes-fallback.cf";
+      virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/accountsmap-fallback.cf,ldap:/run/postfix/aliases.cf,ldap:/run/postfix/aliases-fallback.cf";
       virtual_transport = "lmtp:unix:private/dovecot-lmtp";
-      smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf";
+      smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf,ldap:/run/postfix/sender_login_maps-fallback.cf";
 
       # Do not display the name of the recipient table in the "User unknown" responses.
       # The extra detail makes trouble shooting easier but also reveals information
@@ -222,6 +279,10 @@ in
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmap} > /run/postfix/accountsmap.cf
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliases} > /run/postfix/aliases.cf
     sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMaps} > /run/postfix/sender_login_maps.cf
+    sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${mailboxesFallback} > /run/postfix/mailboxes-fallback.cf
+    sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmapFallback} > /run/postfix/accountsmap-fallback.cf
+    sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliasesFallback} > /run/postfix/aliases-fallback.cf
+    sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMapsFallback} > /run/postfix/sender_login_maps-fallback.cf
   '';
 
   security.dhparams = {
diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix
index 45a33b7..1fe16ad 100644
--- a/hosts/web-arm/modules/authelia.nix
+++ b/hosts/web-arm/modules/authelia.nix
@@ -194,6 +194,10 @@ in {
                   policy = "one_factor";
                   subject = "group:Mitarbeiter";
                 }
+                {
+                  policy = "one_factor";
+                  subject = "group:macher.solutions";
+                }
               ];
             };
           };