diff --git a/Dockerfile b/Dockerfile
index 8bd6ca2..b1588a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,84 @@
+FROM alpine:3.8 as builder
+
+RUN apk --no-cache add \
+    rpcgen \
+    g++ \
+    make \
+    libressl \
+    libressl-dev \
+    lua-dev \
+    openldap-dev \
+    libsodium-dev \
+    linux-pam-dev \
+    zlib-dev \
+    bzip2-dev \
+    xz-dev \
+    lz4-dev \
+    icu-dev \
+    inotify-tools-dev
+
+RUN mkdir /tmp/dovecot
+RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2
+
+RUN mkdir /tmp/pigeonhole
+RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1
+
+RUN cd /tmp/dovecot && \
+    ./configure --prefix '' \
+    --with-notify=inotify \
+    --with-lua \
+    --with-zlib \
+    --with-bzlib \
+    --with-pam \
+    --with-ssl=openssl \
+    --with-sodium \
+    --without-sql \
+    --with-ldap \
+    --with-lzma \
+    --with-lz4 \
+    --with-icu \
+    --without-shadow \
+    --with-ssldir=/etc/ssl/mail \
+    --with-rundir=/run/dovecot \
+    --disable-static && \
+    make && \
+    make install
+
+RUN cd /tmp/pigeonhole && \
+    ./configure --prefix '' \
+    --with-ldap=yes \
+    --with-dovecot=/lib/dovecot \
+    --disable-static && \
+    make && make install
+
 FROM thallian/confd-env:latest
 
-RUN apk add --no-cache \
-    dovecot \
-    dovecot-ldap \
-    dovecot-pigeonhole-plugin \
-    dovecot-pigeonhole-plugin-ldap \
+COPY --from=builder /lib/dovecot/ /lib/dovecot/
+COPY --from=builder /libexec/dovecot/ /libexec/dovecot/
+COPY --from=builder /bin/doveadm /bin/doveadm
+COPY --from=builder /bin/doveconf /bin/doveconf
+COPY --from=builder /bin/dsync /bin/dsync
+COPY --from=builder /sbin/dovecot /sbin/dovecot
+COPY --from=builder /bin/sieve* /bin/
+
+RUN apk --no-cache add \
+    libsodium \
+    libbz2 \
+    zlib \
+    lz4 \
+    linux-pam \
     libressl \
     ssmtp \
-    ca-certificates
+    ca-certificates \
+    lua \
+    lua-ldap \
+    inotify-tools
+
+RUN addgroup -g 150 dovecot
+RUN adduser -u 140 -h /dev/null -H -s /sbin/nologin -D -G dovecot dovecot
+
+RUN addgroup -g 151 dovenull
+RUN adduser -u 141 -h /dev/null -H -s /sbin/nologin -D -G dovenull dovenull
 
 RUN addgroup -g 2222 access
 RUN addgroup dovecot access
@@ -15,11 +86,14 @@ RUN addgroup dovecot access
 RUN addgroup -g 1111 vmail
 RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail
 
+RUN mkdir -p /etc/dovecot/conf.d
 RUN mkdir /var/lib/vmail/sieve-after/
-RUN chown vmail:vmail /var/lib/vmail/sieve-after/
+
+RUN chown -R vmail:vmail /var/lib/vmail/sieve-after/
 
 EXPOSE 143 4190 6334 7777
 
 VOLUME /var/lib/vmail/mail/ /etc/ssl/mail
 
 ADD /rootfs /
+
diff --git a/README.md b/README.md
index d99c1d5..9104bc1 100644
--- a/README.md
+++ b/README.md
@@ -29,8 +29,8 @@ Which authentication mechanism to use for the smtp relay.
 
 Whether to use starttls for the smtp relay.
 
-## LDAP_URI
-Complete uri for the authentication ldap host.
+## LDAP_HOST
+Ldap hostname (can include the port).
 
 ## LDAP_SIEVE_HOST
 Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`).
@@ -73,10 +73,11 @@ The ldap attribute which contains the sieve rules.
 
 Whether to use tls when connecting to the ldap host.
 
-## LDAP_DEFAULT_PASSSCHEME
-- default: SSHA
+## LDAP_APP_PASSWORDS_BASE_DN
+Base DN to look for app passwords for a user.
 
-Default password scheme used on the ldap host.
+## LDAP_APP_PASSWORDS_FILTER
+Specifies the filter on what counts as an app password.
 
 ## ALLOWED_USERNAME_CHARS
 - default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
@@ -84,7 +85,7 @@ Default password scheme used on the ldap host.
 List of characters allowed in a username.
 
 ## AUTH_MECHANISMS
-- default: plain login
+- default: plain
 
 Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms).
 
@@ -96,16 +97,19 @@ Name of the certificate domain.
 
 Length of the Diffie-Helman key in bits.
 
-## SSL_PROTOCOLS
-- default: !SSLv2 !SSLv3
+## SSL_MIN_PROTOCOL
+- default: TLSv1
 
-Space seperated list of allowed ssl protocols (`!`disables a protocol).
+Ssl minimum protocol version.
 
 ## SSL_CIPHERLIST
-- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM
+- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
 Colon seperated list of supported ciphers (`!`disables a cipher).
 
+Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list
+of ciphers.
+
 ## IMAP_MAX_USER_CONNECTIONS
 - default: 10
 
diff --git a/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml b/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
new file mode 100644
index 0000000..07b70b0
--- /dev/null
+++ b/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
@@ -0,0 +1,3 @@
+[template]
+src = "app-passwords-lookup.lua.tmpl"
+dest = "/etc/dovecot/app-passwords-lookup.lua"
diff --git a/rootfs/etc/confd/templates/10-auth.conf.tmpl b/rootfs/etc/confd/templates/10-auth.conf.tmpl
index e40f07c..f7c7b0f 100644
--- a/rootfs/etc/confd/templates/10-auth.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-auth.conf.tmpl
@@ -1,4 +1,4 @@
 auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
 auth_username_format = %Lu
-auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain login"}}
+auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
 !include auth-ldap.conf.ext
diff --git a/rootfs/etc/confd/templates/10-mail.conf.tmpl b/rootfs/etc/confd/templates/10-mail.conf.tmpl
index fb1f0f4..3c064c3 100644
--- a/rootfs/etc/confd/templates/10-mail.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-mail.conf.tmpl
@@ -6,19 +6,21 @@ namespace inbox {
     auto = subscribe
     special_use = \Junk
   }
- 
+
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
- 
+
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
- 
+
   mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
 }
+
+mail_plugin_dir = /lib/dovecot
diff --git a/rootfs/etc/confd/templates/10-ssl.conf.tmpl b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
index 3d11a67..34c079e 100644
--- a/rootfs/etc/confd/templates/10-ssl.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
@@ -1,7 +1,7 @@
 ssl = yes
 ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
 ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
-ssl_dh_parameters_length = {{getenv "SSL_DH_LENGTH" "2048"}}
-ssl_protocols = {{getenv "SSL_PROTOCOLS" "!SSLv2 !SSLv3"}}
-ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM"}}
+ssl_dh=</etc/ssl/mail/dh.pem
+ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
+ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
 ssl_prefer_server_ciphers = yes
diff --git a/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl b/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
new file mode 100644
index 0000000..3c697b8
--- /dev/null
+++ b/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
@@ -0,0 +1,55 @@
+require "lualdap"
+
+function auth_passdb_lookup(req)
+    local ldap_host = "{{ getenv "LDAP_HOST" }}"
+    local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
+    local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
+    local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
+
+    ld = assert (lualdap.open_simple(
+        ldap_host,
+        ldap_bin_dn,
+        ldap_bind_password,
+        ldap_use_tls))
+
+    local username = req.user
+    local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
+    local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
+    local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
+
+    local user_count = 0
+    for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
+        user_count = user_count + 1
+    end
+
+    local return_code = dovecot.auth.PASSDB_RESULT_NEXT
+    local return_text = ""
+
+    local user_exists = user_count == 1
+    if user_exists then
+        local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
+        local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
+        local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
+        local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
+
+        local user_password = req.password
+
+        for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
+            req:log_info(string.format("trying %s...", dn))
+
+            local test_conn = lualdap.open_simple(
+                ldap_host,
+                dn,
+                user_password,
+                ldap_use_tls)
+            if test_conn ~= nil then
+                req:log_info(string.format("%s suceeded!", dn))
+                return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
+            end
+        end
+    else
+        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
+    end
+
+    return return_code, return_text
+end
diff --git a/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl b/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
index 9ef7ec4..64048e4 100644
--- a/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
@@ -3,6 +3,11 @@ passdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
 }
 
+passdb {
+   driver = lua
+   args = file=/etc/dovecot/app-passwords-lookup.lua
+}
+
 userdb {
   driver = static
   args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
diff --git a/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl b/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
index 751b3ab..2bc6c91 100644
--- a/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
@@ -1,4 +1,4 @@
-uris = {{getenv "LDAP_URI"}}
+uris = ldap://{{getenv "LDAP_HOST"}}
 dn = {{getenv "LDAP_BIND_DN"}}
 dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
 tls = {{getenv "LDAP_USE_TLS" "yes"}}
diff --git a/rootfs/etc/cont-init.d/02-dhparam b/rootfs/etc/cont-init.d/02-dhparam
new file mode 100644
index 0000000..7bb26b0
--- /dev/null
+++ b/rootfs/etc/cont-init.d/02-dhparam
@@ -0,0 +1,5 @@
+#!/usr/bin/with-contenv sh
+
+if [ ! -f /etc/ssl/mail/dh.pem ]; then
+    openssl dhparam -out /etc/ssl/mail/dh.pem ${SSL_DH_LENGTH:-2048}
+fi
diff --git a/rootfs/etc/fix-attrs.d/00-mails b/rootfs/etc/fix-attrs.d/00-mails
index 492cfe6..777bfac 100644
--- a/rootfs/etc/fix-attrs.d/00-mails
+++ b/rootfs/etc/fix-attrs.d/00-mails
@@ -1 +1 @@
-/var/lib/vmail/mail true vmail 0640 0750
\ No newline at end of file
+/var/lib/vmail/mail true vmail 0640 0750