diff --git a/roles/mail_server/tests/test_client2.py b/roles/mail_server/tests/test_client2.py
new file mode 100644
index 0000000000000000000000000000000000000000..765732a95df4fd2ad2fac69d9506f4bdf4b7954f
--- /dev/null
+++ b/roles/mail_server/tests/test_client2.py
@@ -0,0 +1,136 @@
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    '.molecule/ansible_inventory').get_hosts('client2')
+
+
+def test_open_relay(Command):
+    """
+    Tests if mail server behaves as open relay.
+    """
+
+    no_recipients_accepted = 24
+
+    send = Command('swaks --suppress-data --to root@client1 --server parameters-mandatory')
+    assert send.rc == no_recipients_accepted
+    assert "Relay access denied" in send.stdout
+
+    send = Command('swaks --suppress-data --to root@client1 --server parameters-optional')
+    assert send.rc == no_recipients_accepted
+    assert "Relay access denied" in send.stdout
+
+
+def test_mail_delivery(Command):
+    """
+    Tests if mails can be delivered to valid accounts. Has to be run on client
+    with no unauthenticated relay permissions.
+    """
+
+    no_recipients_accepted = 24
+
+    # Valid accounts.
+    send = Command('swaks --suppress-data --to john.doe@domain1 --server parameters-mandatory')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks --suppress-data --to john.doe@domain1 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks --suppress-data --to jane.doe@domain2 --server parameters-mandatory')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks --suppress-data --to jane.doe@domain2 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    # Invalid accounts.
+    send = Command('swaks --suppress-data --to john.doe@domain2 --server parameters-mandatory')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    send = Command('swaks --suppress-data --to john.doe@domain2 --server parameters-optional')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    send = Command('swaks --suppress-data --to jane.doe@domain1 --server parameters-mandatory')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    send = Command('swaks --suppress-data --to jane.doe@domain1 --server parameters-optional')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    # Valid aliases.
+    send = Command('swaks --suppress-data --to postmaster@domain1 --server parameters-mandatory')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks --suppress-data --to postmaster@domain1 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks --suppress-data --to webmaster@domain2 --server parameters-mandatory')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    send = Command('swaks --suppress-data --to webmaster@domain2 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+    # Invalid aliases.
+    send = Command('swaks --suppress-data --to postmaster@domain2 --server parameters-mandatory')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    send = Command('swaks --suppress-data --to postmaster@domain2 --server parameters-optional')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    send = Command('swaks --suppress-data --to webmaster@domain1 --server parameters-mandatory')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+    send = Command('swaks --suppress-data --to webmaster@domain1 --server parameters-optional')
+    assert send.rc == no_recipients_accepted
+    assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout
+
+
+def test_smtp_authentication(Command):
+    """
+    Tests if SMTP authentication works via TLS and allows sending mails to
+    anywhere.
+    """
+
+    send = Command('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    assert send.rc == 0
+    assert "Ok: queued as" in send.stdout
+
+
+def test_smtp_authentication_requires_tls(Command):
+    """
+    Tests if SMTP authentication requires TLS.
+    """
+
+    auth_error = 28
+
+    send = Command('swaks --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    assert send.rc == auth_error
+    assert "Host did not advertise authentication" in send.stdout
+
+
+def test_smtp_authentication_requires_submission_port(Command):
+    """
+    Tests if SMTP authentication cannot be done on regular SMTP port.
+    """
+
+    auth_error = 28
+
+    send = Command('swaks --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    assert send.rc == auth_error
+    assert "Host did not advertise authentication" in send.stdout
+
+    send = Command('swaks -tls --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional')
+    assert send.rc == auth_error
+    assert "Host did not advertise authentication" in send.stdout