diff --git a/mail-toaster.sh b/mail-toaster.sh
index ba7c5830..84e3050f 100755
--- a/mail-toaster.sh
+++ b/mail-toaster.sh
@@ -1016,11 +1016,25 @@ stage_fbsd_package()
 
 stage_setup_tls()
 {
+	# static TLS certificates (installed at deploy)
 	if [ ! -f "$STAGE_MNT/etc/ssl/certs/${TOASTER_MAIL_DOMAIN}.pem" ]; then
 		tell_status "installing TLS certificate"
 		cp /etc/ssl/certs/server.crt "$STAGE_MNT/etc/ssl/certs/${TOASTER_MAIL_DOMAIN}.pem"
 		cp /etc/ssl/private/server.key "$STAGE_MNT/etc/ssl/private/${TOASTER_MAIL_DOMAIN}.pem"
 	fi
+
+	# dynamic TLS certs, kept up-to-date by acme.sh or certbot
+	if [ ! -f "$STAGE_MNT/data/etc/tls/certs" ]; then
+		# shellcheck disable=SC2174
+		mkdir -m 0644 -p "$STAGE_MNT/data/etc/tls/certs"
+		cp /etc/ssl/certs/server.crt "$STAGE_MNT/data/etc/tls/certs/${TOASTER_MAIL_DOMAIN}.pem"
+	fi
+
+	if [ ! -f "$STAGE_MNT/data/etc/tls/private" ]; then
+		# shellcheck disable=SC2174
+		mkdir -m 0640 -p "$STAGE_MNT/data/etc/tls/private"
+		cp /etc/ssl/private/server.key "$STAGE_MNT/data/etc/tls/private/${TOASTER_MAIL_DOMAIN}.pem"
+	fi
 }
 
 unmount_data()
diff --git a/provision/base.sh b/provision/base.sh
index ace88585..b3a197e9 100755
--- a/provision/base.sh
+++ b/provision/base.sh
@@ -125,7 +125,7 @@ do
 done
 
 # packages to be updated automatically
-auto_upgrade="curl expat libxml2 pkg sudo vim-tiny"
+auto_upgrade="curl expat libxml2 pkg sudo unbound vim-tiny"
 
 # add packages with:
 #   sysrc -f /usr/local/etc/periodic/daily/auto_security_upgrades auto_upgrade+=" $NEW"
@@ -140,14 +140,12 @@ EO_PKG_SECURITY
 configure_ssl_dirs()
 {
 	if [ ! -d "$BASE_MNT/etc/ssl/certs" ]; then
-		mkdir "$BASE_MNT/etc/ssl/certs"
+		mkdir -m 0644 "$BASE_MNT/etc/ssl/certs"
 	fi
 
 	if [ ! -d "$BASE_MNT/etc/ssl/private" ]; then
-		mkdir "$BASE_MNT/etc/ssl/private"
+		mkdir -m 0640 "$BASE_MNT/etc/ssl/private"
 	fi
-
-	chmod o-r "$BASE_MNT/etc/ssl/private"
 }
 
 configure_tls_dhparams()
diff --git a/provision/haproxy.sh b/provision/haproxy.sh
index 156583fd..b149a883 100755
--- a/provision/haproxy.sh
+++ b/provision/haproxy.sh
@@ -82,7 +82,7 @@ defaults
 frontend http-in
 	#mode tcp
 	bind :::80 v4v6 alpn http/1.1
-	bind :::443 v4v6 alpn http/1.1 ssl crt /etc/ssl/private crt /data/ssl.d
+	bind :::443 v4v6 alpn http/1.1 ssl crt /etc/ssl/private crt /data/etc/tls.d
 	# ciphers AES128+EECDH:AES128+EDH
 
 	http-request  set-header X-Forwarded-Proto https if { ssl_fc }
@@ -256,9 +256,9 @@ defaults
 
 frontend default-http
     bind $(get_jail_ip stage):80
-    bind $(get_jail_ip stage):443 alpn http/1.1 ssl crt /data/ssl.d
+    bind $(get_jail_ip stage):443 alpn http/1.1 ssl crt /data/etc/tls.d
     bind [$(get_jail_ip6 stage)]:80
-    bind [$(get_jail_ip6 stage)]:443 alpn http/1.1 ssl crt /data/ssl.d
+    bind [$(get_jail_ip6 stage)]:443 alpn http/1.1 ssl crt /data/etc/tls.d
 
     default_backend www_webmail
 
@@ -283,7 +283,7 @@ install_ocsp_stapler()
 OPENSSL=/usr/bin/openssl
 
 # Path to certificates
-PEMSDIR=/data/ssl.d
+PEMSDIR=/data/etc/tls.d
 
 # Path to log output to
 LOGDIR=/var/log/haproxy
@@ -294,7 +294,7 @@ UPDATED=0
 
 cd ${PEMSDIR}
 for pem in *.pem; do
-    echo "= $(date)" >> ${LOGDIR}/${pem}.log
+    echo "= $(date)" >> "$LOGDIR/${pem}.log"
 
     # Get the OCSP URL from the certificate
     ocsp_url=$($OPENSSL x509 -noout -ocsp_uri -in $pem)
@@ -318,7 +318,7 @@ for pem in *.pem; do
 done
 
 if [ $UPDATED -gt 0 ]; then
-    echo "= $(date) - Updated $UPDATED OCSP responses" >> ${LOGDIR}/${pem}.log
+    echo "= $(date) - Updated $UPDATED OCSP responses" >> "${LOGDIR}/${pem}.log"
     service haproxy reload > ${LOGDIR}/service-reload.log 2>&1
 else
     echo "= $(date) - No updates" >> ${LOGDIR}/${pem}.log
@@ -340,9 +340,9 @@ configure_haproxy_tls()
 		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl"
 	fi
 
-	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl.d" ]; then
-		tell_status "creating /data/ssl.d"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl.d"
+	if [ ! -d "$ZFS_DATA_MNT/haproxy/etc/tls.d" ]; then
+		tell_status "creating /data/etc/tls.d"
+		mkdir -p "$ZFS_DATA_MNT/haproxy/etc/tls.d"
 	fi
 
 	install_ocsp_stapler "$STAGE_MNT/usr/local/etc/periodic/daily/501.ocsp-staple.sh"
diff --git a/provision/snappymail.sh b/provision/snappymail.sh
index d3477b51..4328edd0 100755
--- a/provision/snappymail.sh
+++ b/provision/snappymail.sh
@@ -76,10 +76,6 @@ configure_nginx_server()
 			fastcgi_pass   php;
 		}
 
-		location ~ /\.ht {
-			deny  all;
-		}
-
 		location ^~ /data {
 			deny all;
 		}
diff --git a/provision/spamassassin.sh b/provision/spamassassin.sh
index bd31b4a8..cdbcc556 100755
--- a/provision/spamassassin.sh
+++ b/provision/spamassassin.sh
@@ -241,7 +241,7 @@ configure_spamassassin_mysql()
 	local _my_pass; _my_pass=$(get_random_pass 18 safe)
 
 	tee -a "$_sa_etc/sql.cf" <<EO_MYSQL_CONF
-	# Users scores is useful with the Squirrelmail SASQL plugin
+    # Users scores is useful with the Squirrelmail SASQL plugin
     # user_scores_dsn                 DBI:mysql:spamassassin:$(get_jail_ip mysql)
     # user_scores_sql_username        spamassassin
     # user_scores_sql_password        $_my_pass
diff --git a/provision/webmail.sh b/provision/webmail.sh
index c0d91fc7..36b64cdb 100755
--- a/provision/webmail.sh
+++ b/provision/webmail.sh
@@ -13,16 +13,15 @@ mt6-include nginx
 configure_nginx_server()
 {
 	_NGINX_SERVER='
-		server_name  webmail;
+		server_name webmail default_server;
+		root /data/htdocs;
 
 		# serve ACME requests from /data
 		location /.well-known/acme-challenge {
-		  root /data;
 			try_files $uri =404;
 		}
 
 		location /.well-known/pki-validation {
-			root /data;
 			try_files $uri =404;
 		}
 
@@ -32,12 +31,101 @@ configure_nginx_server()
 		}
 
 		location / {
-			root   /data/htdocs;
+			# redirect to HTTPS, use with TOASTER_WEBMAIL_PROXY=nginx
+			#return 301 https://$server_name$request_uri;
 			index  index.html index.htm;
 		}
 '
 	export _NGINX_SERVER
 	configure_nginx_server_d webmail
+
+	if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
+		_NGINX_SERVER="
+	server {
+		listen	    443 ssl;
+		listen [::]:443 ssl;
+
+		server_name  $TOASTER_HOSTNAME;
+
+		ssl_certificate	/data/etc/tls/certs/$TOASTER_HOSTNAME.pem;
+		ssl_certificate_key /data/etc/tls/private/$TOASTER_HOSTNAME.pem;
+
+		proxy_set_header X-Forwarded-For \$remote_addr;
+		proxy_set_header X-Forwarded-Proto \$scheme;
+		proxy_set_header Host \$host;
+
+		# Forbid access to other dotfiles
+		location ~ /\.(?!well-known).* {
+			return 403;
+		}
+
+		location ~ /\.ht {
+			deny  all;
+		}
+
+		location /roundcube {
+			rewrite /roundcube/(.*) /\$1  break;
+			proxy_redirect     off;
+			proxy_pass         http://$(get_jail_ip roundcube):80;
+		}
+
+		location /snappymail {
+			proxy_pass	http://$(get_jail_ip snappymail):80;
+		}
+
+		location /haraka/ {
+			rewrite /haraka/(.*) /\$1  break;
+			proxy_redirect     off;
+			proxy_pass	http://$(get_jail_ip haraka):80;
+		}
+
+		location /watch/ {
+			proxy_pass	http://$(get_jail_ip haraka):80;
+			proxy_http_version 1.1;
+			proxy_set_header Upgrade \$http_upgrade;
+			proxy_set_header Connection \"upgrade\";
+			proxy_read_timeout 86400;
+		}
+
+		location /logs/ {
+			proxy_pass	http://$(get_jail_ip haraka):80;
+		}
+
+		location ~ /(qmailadmin|vqadmin) {
+			proxy_pass	http://$(get_jail_ip vpopmail):80;
+		}
+
+		location /images/mt {
+			proxy_pass	http://$(get_jail_ip vpopmail):80;
+		}
+
+		location ~ /sqwebmail {
+			proxy_pass	http://$(get_jail_ip sqwebmail):80;
+		}
+
+		location /rspamd/ {
+			proxy_pass	http://$(get_jail_ip rspamd):11334/;
+		}
+
+		location /dmarc {
+			proxy_pass	http://$(get_jail_ip mail_dmarc):8080/;
+		}
+
+		location / {
+			root   /data/htdocs;
+			index  index.html index.htm;
+		}
+
+		error_page   500 502 503 504  /50x.html;
+		location = /50x.html {
+			root   /usr/local/www/nginx-dist;
+		}
+	}
+"
+		export _NGINX_SERVER
+
+		configure_nginx_server_d webmail-tls
+	fi
 }
 
 install_lighttpd()
@@ -92,6 +180,12 @@ install_webmail()
 		install_lighttpd
 	else
 		install_nginx
+
+		if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
+			stage_setup_tls
+			pkg install -y socat acme.sh
+		fi
+
 		configure_nginx_server
 	fi
 }
@@ -204,11 +298,7 @@ install_index()
     checkStats();
   }
   </script>
-  <style>
-body {
-  font-size: 9pt;
-}
-  </style>
+  <style>body { font-size: 9pt; }</style>
 </head>
 <body onLoad="checkAll()">
 <div id="tabs">
@@ -273,6 +363,31 @@ body {
 EO_INDEX
 }
 
+configure_webmail_pf()
+{
+	_pf_etc="$ZFS_DATA_MNT/webmail/etc/pf.conf.d"
+
+	if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
+		store_config "$_pf_etc/rdr.conf" <<EO_HTTP_RDR
+int_ip4 = "$(get_jail_ip webmail)"
+int_ip6 = "$(get_jail_ip6 webmail)"
+
+rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> \$int_ip4
+rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> \$int_ip6
+EO_HTTP_RDR
+	fi
+
+	store_config "$_pf_etc/allow.conf" <<EO_HTTP_ALLOW
+int_ip4 = "$(get_jail_ip webmail)"
+int_ip6 = "$(get_jail_ip6 webmail)"
+
+table <webmail_int> persist { \$int_ip4, \$int_ip6 }
+
+pass in quick proto tcp from any to <ext_ip> port { 80 443 }
+pass in quick proto tcp from any to <webmail_int> port { 80 443 }
+EO_HTTP_ALLOW
+}
+
 configure_webmail()
 {
 	if [ "$WEBMAIL_HTTPD" = "lighttpd" ]; then
@@ -282,6 +397,8 @@ configure_webmail()
 		configure_nginx_server
 	fi
 
+	configure_webmail_pf
+
 	_htdocs="$ZFS_DATA_MNT/webmail/htdocs"
 	if [ ! -d "$_htdocs" ]; then
 	   mkdir -p "$_htdocs"
@@ -299,6 +416,15 @@ User-agent: *
 Disallow: /
 EO_ROBOTS_TXT
 	fi
+
+	if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
+		stage_exec acme.sh --set-default-ca --server letsencrypt
+		stage_exec acme.sh -d "$TOASTER_HOSTNAME" --issue --webroot=/data/htdocs
+		stage_exec acme.sh --install-cert -d "$TOASTER_HOSTNAME" \
+			--key-file       /data/etc/tls/private/$TOASTER_HOSTNAME.pem \
+			--fullchain-file /data/etc/tls/certs/$TOASTER_HOSTNAME.pem \
+			--reloadcmd      "service nginx reload"
+	fi
 }
 
 start_webmail()