diff --git a/optional/traefik-certdumper/.dockerignore b/optional/traefik-certdumper/.dockerignore
new file mode 100644
index 00000000..9b54c5ba
--- /dev/null
+++ b/optional/traefik-certdumper/.dockerignore
@@ -0,0 +1,2 @@
+README.md
+Dockerfile
diff --git a/optional/traefik-certdumper/Dockerfile b/optional/traefik-certdumper/Dockerfile
new file mode 100644
index 00000000..c8a3aa3f
--- /dev/null
+++ b/optional/traefik-certdumper/Dockerfile
@@ -0,0 +1,8 @@
+FROM alpine
+
+RUN apk --no-cache add inotify-tools jq openssl util-linux bash docker
+# while not strictly documented, this script seems to always(?) support previous acme.json versions too
+RUN wget https://raw.githubusercontent.com/containous/traefik/master/contrib/scripts/dumpcerts.sh -O dumpcerts.sh
+
+COPY run.sh /
+ENTRYPOINT ["/run.sh"]
diff --git a/optional/traefik-certdumper/LICENSE b/optional/traefik-certdumper/LICENSE
new file mode 100644
index 00000000..259ccd34
--- /dev/null
+++ b/optional/traefik-certdumper/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Sven Dowideit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/optional/traefik-certdumper/README.md b/optional/traefik-certdumper/README.md
new file mode 100644
index 00000000..f5434f62
--- /dev/null
+++ b/optional/traefik-certdumper/README.md
@@ -0,0 +1,27 @@
+# Single-domain traefik-certdumper for mailu
+
+This is based on the work by Sven Dowideit on https://github.com/SvenDowideit/traefik-certdumper
+
+## Fork?
+This is a slight modification that is less flexible, but is adapted to the
+usecase in mailu. If you wish to deploy mailu behind a traefik, you face many
+problems. One of these is that you need to get the certificates into mailu in a
+very defined manner. This will copy the certificate for the **Main:**-domain
+given in the DOMAIN-environment onto `output`.
+
+If your output happens to be mailu-front-`/certs`, the certificate-watcher in
+the front-container will catch it and reload nginx. This works for mailu
+`TLS_FLAVOR=[mail, cert]`
+
+
+```
+  certdumper:
+    restart: always
+    image: Mailu/traefik-certdumper:$VERSION
+    environment:
+      - DOMAIN=$DOMAIN
+    volumes:
+      # your traefik data-volume is probably declared outside of the mailu composefile
+      - /data/traefik:/traefik
+      - $ROOT/certs/:/output/
+```
diff --git a/optional/traefik-certdumper/run.sh b/optional/traefik-certdumper/run.sh
new file mode 100755
index 00000000..2f73eaf7
--- /dev/null
+++ b/optional/traefik-certdumper/run.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+function dump() {
+    echo "$(date) Dumping certificates"
+    bash dumpcerts.sh /traefik/acme.json /tmp/work/
+
+    for crt_file in $(ls /tmp/work/certs/*); do
+        pem_file=$(echo $crt_file | sed 's/certs/pem/g' | sed 's/.crt/-public.pem/g')
+        echo "openssl x509 -inform PEM -in $crt_file > $pem_file"
+        openssl x509 -inform PEM -in $crt_file > $pem_file
+    done
+    for key_file in $(ls /tmp/work/private/*); do
+        pem_file=$(echo $key_file | sed 's/private/pem/g' | sed 's/.key/-private.pem/g')
+        echo "openssl rsa -in $key_file -text > $pem_file"
+        openssl rsa -in $key_file -text > $pem_file
+    done
+
+    echo "$(date) Copying certificates"
+    cp -v /tmp/work/pem/${DOMAIN}-private.pem /output/key.pem
+    cp -v /tmp/work/pem/${DOMAIN}-public.pem /output/cert.pem
+}
+
+mkdir -p /tmp/work/pem /tmp/work/certs
+# run once on start to make sure we have any old certs
+dump
+
+while true; do
+    inotifywait -e modify /traefik/acme.json && \
+        dump
+done