diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 81b8b98dbf92cf8856753ec1a79a35ddcaa83dd7..8a1cfe194a9c2466a6abb14bff5f2c040c0d54b2 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1870,6 +1870,7 @@ Distribution compatibility
 Role is compatible with the following distributions:
 
 - Debian 8 (Jessie)
+- Debian 9 (Stretch)
 
 
 Examples
diff --git a/roles/wsgi_website/molecule/default/molecule.yml b/roles/wsgi_website/molecule/default/molecule.yml
index 10af90780cb1b084286d6d1f0b00e7d29ce8546e..90807f2521dd65b09398df8ee4752bc85dac64ba 100644
--- a/roles/wsgi_website/molecule/default/molecule.yml
+++ b/roles/wsgi_website/molecule/default/molecule.yml
@@ -17,10 +17,23 @@ platforms:
   - name: wsgi-website-jessie64
     groups:
       - wsgi-website
+      - parameters-mandatory
+      - parameters-optional
+      - jessie
     box: debian/contrib-jessie64
     memory: 512
     cpus: 1
 
+  - name: wsgi-website-stretch64
+    groups:
+      - wsgi-website
+      - parameters-mandatory
+      - parameters-optional
+      - stretch
+    box: debian/contrib-stretch64
+    memory: 512
+    cpus: 1
+
 provisioner:
   name: ansible
   config_options:
diff --git a/roles/wsgi_website/molecule/default/playbook.yml b/roles/wsgi_website/molecule/default/playbook.yml
index e183f522738307ea147c0f6a7abf6592b37674c1..8a81844fdda1250c2d8a1696fc3d8847f4546406 100644
--- a/roles/wsgi_website/molecule/default/playbook.yml
+++ b/roles/wsgi_website/molecule/default/playbook.yml
@@ -38,7 +38,8 @@
       https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.cert.pem') }}"
       https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.key.pem') }}"
       packages:
-        - libmariadb-client-lgpl-dev-compat
+        - "{% if ansible_distribution_release == 'jessie' %}libmariadb-client-lgpl-dev-compat\
+{% elif ansible_distribution_release == 'stretch' %}libmariadbclient-dev-compat{% endif %}"
         - global
       proxy_headers:
         Accept-Encoding: '""'
diff --git a/roles/wsgi_website/molecule/default/prepare.yml b/roles/wsgi_website/molecule/default/prepare.yml
index bed5c4baf2b6830ae2dd982b8726cd0d30ed84c3..96e7a8518615b9ae8e567204f19f649c5d62ff39 100644
--- a/roles/wsgi_website/molecule/default/prepare.yml
+++ b/roles/wsgi_website/molecule/default/prepare.yml
@@ -33,11 +33,42 @@
         name: swaks
         state: present
 
+    - name: Install net-tools for testing sockets
+      apt:
+        name: net-tools
+        state: present
+
     - name: Install Postfix for testing mail forwarding (Exim4 not covered)
       apt:
         name: postfix
         state: present
 
+    - name: Install procmail for consistency with mail_server and mail_forwarder roles
+      apt:
+        name: procmail
+        state: present
+
+    - name: Update Postfix configuration
+      lineinfile:
+        path: /etc/postfix/main.cf
+        regexp: "^{{ item.key }}"
+        line: "{{ item.value }}"
+        state: present
+      with_dict:
+        myhostname: "myhostname = {{ inventory_hostname }}"
+        mailbox_command: 'mailbox_command = procmail -a "$EXTENSION"'
+      notify:
+        - Restart Postfix
+
+    - name: Direct all mails from the root account to vagrant (Stretch image does not do that by default)
+      lineinfile:
+        path: /etc/aliases
+        regexp: "^root"
+        line: "root: vagrant"
+        state: present
+      notify:
+        - Generate aliases database
+
     - name: Set-up group for an additional user
       group:
         name: user
@@ -49,5 +80,17 @@
         group: user
         shell: /bin/bash
 
-    - name: Rename the ss utility (see https://github.com/philpep/testinfra/pull/320)
-      command: "mv /bin/ss /bin/ss.bak"
+    - name: Remove the ss utility (see https://github.com/philpep/testinfra/pull/320)
+      file:
+        path: "/bin/ss"
+        state: absent
+
+  handlers:
+
+    - name: Restart Postfix
+      service:
+        name: postfix
+        state: restarted
+
+    - name: Generate aliases database
+      command: "/usr/bin/newaliases"
diff --git a/roles/wsgi_website/molecule/default/tests/test_default.py b/roles/wsgi_website/molecule/default/tests/test_default.py
index 521f8f77b7354dd38490d5bc789c750881b9f68c..e239e277f975e9b6c4b3d6bdf46d2dd1ad22e97c 100644
--- a/roles/wsgi_website/molecule/default/tests/test_default.py
+++ b/roles/wsgi_website/molecule/default/tests/test_default.py
@@ -210,7 +210,7 @@ def test_mail_forwarding(host, original_destination, expected_destination_user):
 
     send = host.run('swaks --suppress-data --to ' + original_destination)
     assert send.rc == 0
-    message_id = re.search('Ok: queued as (.*)', send.stdout).group(1)
+    original_queue_id = re.search('Ok: queued as (.*)', send.stdout).group(1)
 
     # Sleep for a couple of seconds so the mail can get delivered.
     time.sleep(5)
@@ -219,11 +219,11 @@ def test_mail_forwarding(host, original_destination, expected_destination_user):
         mail_log = host.file('/var/log/mail.log')
 
         # First extract message ID of forwarded mail.
-        pattern = "%s: to=<%s>.*status=sent \(forwarded as ([^)]*)\)" % (message_id, original_destination)
-        message_id = re.search(pattern, mail_log.content).group(1)
+        pattern = "%s: to=<%s>.*status=sent \(forwarded as ([^)]*)\)" % (original_queue_id, original_destination)
+        forward_queue_id = re.search(pattern, mail_log.content).group(1)
 
         # Now try to determine where the forward ended-up at.
-        pattern = "%s: to=<%s@%s>, orig_to=<%s>.*status=sent" % (message_id, expected_destination_user, hostname, original_destination)
+        pattern = "%s: to=<%s@%s>, orig_to=<%s>.*status=sent" % (forward_queue_id, expected_destination_user, hostname, original_destination)
         assert re.search(pattern, mail_log.content) is not None
 
 
diff --git a/roles/wsgi_website/molecule/default/tests/test_parameters_mandatory.py b/roles/wsgi_website/molecule/default/tests/test_parameters_mandatory.py
index e106308f81759979c67ff75c85cf1567511f95f1..c55f568b73b97e1ffa1a7da872dc086a8fe5fc1f 100644
--- a/roles/wsgi_website/molecule/default/tests/test_parameters_mandatory.py
+++ b/roles/wsgi_website/molecule/default/tests/test_parameters_mandatory.py
@@ -4,7 +4,7 @@ import testinfra.utils.ansible_runner
 
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['all'])
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-mandatory'])
 
 
 def test_https_enforcement(host):
diff --git a/roles/wsgi_website/molecule/default/tests/test_parameters_optional.py b/roles/wsgi_website/molecule/default/tests/test_parameters_optional.py
index a09441491f1c38a818322fc36dbaaef2ef4caa21..51bfe67a4d02fe0063c9198fa3286e3a36a72427 100644
--- a/roles/wsgi_website/molecule/default/tests/test_parameters_optional.py
+++ b/roles/wsgi_website/molecule/default/tests/test_parameters_optional.py
@@ -4,7 +4,7 @@ import testinfra.utils.ansible_runner
 
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['all'])
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-optional'])
 
 
 def test_installed_packages(host):
@@ -12,19 +12,15 @@ def test_installed_packages(host):
     Tests if additional packages are installed.
     """
 
-    assert host.package('libmariadb-client-lgpl-dev-compat').is_installed
-    assert host.package('global').is_installed
+    ansible_facts = host.ansible("setup")["ansible_facts"]
 
+    if ansible_facts['ansible_distribution_release'] == 'jessie':
+        mariadb_compat_package = 'libmariadb-client-lgpl-dev-compat'
+    elif ansible_facts['ansible_distribution_release'] == 'stretch':
+        mariadb_compat_package = 'libmariadbclient-dev-compat'
 
-def test_mariadb_compat_symlink(host):
-    """
-    Tests if compatibility symlink is set-up for mysql_config binary if
-    libmariadb-client-lgpl-dev-compat is installed.
-    """
-
-    link = host.file('/usr/bin/mysql_config')
-    assert link.is_symlink
-    assert link.linked_to == "/usr/bin/mariadb_config"
+    assert host.package(mariadb_compat_package).is_installed
+    assert host.package('global').is_installed
 
 
 def test_https_enforcement(host):
diff --git a/roles/wsgi_website/molecule/default/tests/test_parameters_optional_jessie].py b/roles/wsgi_website/molecule/default/tests/test_parameters_optional_jessie].py
new file mode 100644
index 0000000000000000000000000000000000000000..34f8a19d011f713f432a5a989e660afa09dfa29c
--- /dev/null
+++ b/roles/wsgi_website/molecule/default/tests/test_parameters_optional_jessie].py
@@ -0,0 +1,17 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['jessie'])
+
+
+def test_mariadb_compat_symlink(host):
+    """
+    Tests if compatibility symlink is set-up for mysql_config binary if
+    libmariadb-client-lgpl-dev-compat is installed.
+    """
+
+    link = host.file('/usr/bin/mysql_config')
+    assert link.is_symlink
+    assert link.linked_to == "/usr/bin/mariadb_config"
diff --git a/roles/wsgi_website/tasks/main.yml b/roles/wsgi_website/tasks/main.yml
index e20812dc5310950d213c7d828aa117c0e9f638cb..b2ce178b4e8dc385d2fd8bd791304810aa2048cd 100644
--- a/roles/wsgi_website/tasks/main.yml
+++ b/roles/wsgi_website/tasks/main.yml
@@ -50,6 +50,10 @@
     createhome: false
     state: present
     home: "{{ home }}"
+    # This is a workaround for a rather stupid bug that Debian seems
+    # uninterested to backport -
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
+    shell: /bin/sh
 
 - name: Add nginx user to website group
   user: