diff --git a/roles/mail_server/tests/test_optional.py b/roles/mail_server/tests/test_optional.py
index a74b2007b7232263706c974c3a0467f55ccdd5b7..abe076746d7f5af29e57fe0d17d3abcf89c00757 100644
--- a/roles/mail_server/tests/test_optional.py
+++ b/roles/mail_server/tests/test_optional.py
@@ -104,3 +104,178 @@ def test_local_aliases(Command, File, Sudo):
         mail_log = File('/var/log/mail.log')
         pattern = "dovecot: lda\(john.doe@domain1\): msgid=<[^.]*.%s@[^>]*>: saved mail to INBOX" % message_id
         assert re.search(pattern, mail_log.content) is not None
+
+
+def test_dovecot_mailbox_directories(File, Sudo):
+    """
+    Tests if mailbox directories are created correctly.
+    """
+
+    with Sudo():
+
+        for directory_path in ["/var/virtmail/domain1",
+                               "/var/virtmail/domain1/john.doe",
+                               "/var/virtmail/domain1/john.doe/Maildir",
+                               "/var/virtmail/domain2",
+                               "/var/virtmail/domain2/jane.doe",
+                               "/var/virtmail/domain1/john.doe/Maildir"]:
+
+            directory = File(directory_path)
+
+            assert directory.is_directory
+            assert directory.user == "virtmail"
+            assert directory.group == "virtmail"
+            assert directory.mode == 0o700
+
+
+def test_mail_owner(Group, User):
+    """
+    Tests creation of mail owner group and user.
+    """
+
+    group = Group("virtmail")
+    assert group.exists
+    assert group.gid == 5000
+
+    user = User("virtmail")
+    assert user.exists
+    assert user.uid == 5000
+    assert user.home == "/var/virtmail"
+    assert user.group == "virtmail"
+    assert user.groups == ["virtmail"]
+
+
+def test_imap_tls_configuration(Command):
+    """
+    Tests TLS configuration for IMAP in Dovecot.
+    """
+
+    # Test plain connectivity first.
+    starttls = Command('echo "a0001 LOGOUT" | openssl s_client -quiet -starttls imap -connect parameters-optional:143')
+    assert starttls.rc == 0
+    assert '* BYE Logging out' in starttls.stdout
+
+    tls = Command('echo "a0001 LOGOUT" | openssl s_client -quiet -connect parameters-optional:993')
+    assert tls.rc == 0
+    assert '* BYE Logging out' in starttls.stdout
+
+    # Test TLS protocol versions.
+    starttls = Command('echo "a0001 LOGOUT" | openssl s_client -quiet -starttls imap -no_tls1_2 -connect parameters-optional:143')
+    assert starttls.rc == 0
+    assert '* BYE Logging out' in starttls.stdout
+
+    tls = Command('echo "a0001 LOGOUT" | openssl s_client -quiet -no_tls1_2 -connect parameters-optional:993')
+    assert tls.rc == 0
+    assert '* BYE Logging out' in starttls.stdout
+
+    starttls = Command("echo 'a0001 LOGOUT' | openssl s_client -quiet -starttls imap -no_tls1_1 -no_tls1_2 -connect parameters-optional:143")
+    assert starttls.rc != 0
+    assert "write:errno=104" in starttls.stderr
+
+    tls = Command("echo 'a0001 LOGOUT' | openssl s_client -quiet -no_tls1_1 -no_tls1_2 -connect parameters-optional:993")
+    assert tls.rc != 0
+    assert "write:errno=104" in tls.stderr
+
+    # Test at least one strong TLS cipher.
+    starttls_cipher = Command("echo 'a0001 LOGOUT' | openssl s_client -starttls imap -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:143")
+    assert starttls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA256" in starttls_cipher.stdout
+
+    tls_cipher = Command("echo 'a0001 LOGOUT' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:993")
+    assert tls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA256" in tls_cipher.stdout
+
+    # Test weaker TLS cipher that was explicitly configured
+    starttls_cipher = Command("echo 'a0001 LOGOUT' | openssl s_client -starttls imap -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:143")
+    assert starttls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA" in starttls_cipher.stdout
+
+    tls_cipher = Command("echo 'a0001 LOGOUT' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:993")
+    assert tls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA" in tls_cipher.stdout
+
+
+def test_dovecot_postmaster(Command, Sudo):
+    """
+    Tests if Dovecot postmaster has been correctly configured.
+    """
+
+    with Sudo():
+
+        config = Command("doveadm config")
+
+        assert config.rc == 0
+        assert "  postmaster_address = webmaster@parameters-optional" in config.stdout
+
+
+def test_imap_max_user_connections_per_ip(Command, Sudo):
+    """
+    Tests if Dovecot per-user connection limit has been set-up correctly.
+    """
+
+    with Sudo():
+
+        config = Command("doveadm config")
+
+        assert config.rc == 0
+        assert "  mail_max_userip_connections = 2" in config.stdout
+
+
+def test_postfix_tls_configuration(Command):
+    """
+    Tests TLS configuration for SMTP in Postfix.
+    """
+
+    # Test TLS protocol versions for default port (all should be enabled).
+    starttls = Command("echo 'QUIT' | openssl s_client -quiet -starttls smtp -no_tls1 -no_tls1_1 -connect parameters-optional:25")
+    assert starttls.rc == 0
+    assert '221 2.0.0 Bye' in starttls.stdout
+
+    starttls = Command("echo 'QUIT' | openssl s_client -quiet -starttls smtp -no_tls1_2 -connect parameters-optional:25")
+    assert starttls.rc == 0
+    assert '221 2.0.0 Bye' in starttls.stdout
+
+    starttls = Command("echo 'QUIT' | openssl s_client -quiet -starttls smtp -no_tls1_2 -no_tls1_1 -connect parameters-optional:25")
+    assert starttls.rc == 0
+    assert '221 2.0.0 Bye' in starttls.stdout
+
+    # Test TLS protocol versions for submission port (only TLS 1.1 and TLS 1.2 should be enabled).
+    starttls = Command("echo 'QUIT' | openssl s_client -quiet -starttls smtp -connect parameters-optional:587")
+    assert starttls.rc == 0
+    assert '221 2.0.0 Bye' in starttls.stdout
+
+    starttls = Command("echo 'QUIT' | openssl s_client -quiet -starttls smtp -no_tls1_2 -connect parameters-optional:587")
+    assert starttls.rc == 0
+    assert '221 2.0.0 Bye' in starttls.stdout
+
+    starttls = Command("echo 'QUIT' | openssl s_client -quiet -starttls smtp -no_tls1_1 -no_tls1_2 -connect parameters-optional:587")
+    assert starttls.rc != 0
+    assert 'write:errno=104' in starttls.stderr
+
+    # Test ciphers for default port (less restrictive).
+    starttls_cipher = Command("echo 'QUIT' | openssl s_client -starttls smtp -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:25")
+    assert starttls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA256" in starttls_cipher.stdout
+
+    starttls_cipher = Command("echo 'QUIT' | openssl s_client -starttls smtp -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:25")
+    assert starttls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA" in starttls_cipher.stdout
+
+    # Test ciphers for submission port (at least one weak cipher was configured).
+    starttls_cipher = Command("echo 'QUIT' | openssl s_client -starttls smtp -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:587")
+    assert starttls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA256" in starttls_cipher.stdout
+
+    starttls_cipher = Command("echo 'QUIT' | openssl s_client -starttls smtp -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:587")
+    assert starttls_cipher.rc == 0
+    assert "ECDHE-RSA-AES128-SHA" in starttls_cipher.stdout
+
+
+def test_sieve_tls_configuration(Command):
+    """
+    Tests TLS configuration for SIEVE in Dovecot
+    """
+
+    # @TODO: Currently not possible to test since openssl s_client does not
+    # support STARTTLS for Sieve.
+    pass