diff --git a/core/dovecot/conf/dovecot-sql.conf.ext b/core/dovecot/conf/dovecot-sql.conf.ext
index d2e31016..e922d7b9 100644
--- a/core/dovecot/conf/dovecot-sql.conf.ext
+++ b/core/dovecot/conf/dovecot-sql.conf.ext
@@ -3,7 +3,7 @@ connect = /data/main.db
 
 # Return the user hashed password
 password_query = \
- SELECT NULL as password, 'Y' as nopassword, '{{ FRONT_ADDRESS }}' as allow_nets \
+ SELECT NULL as password, 'Y' as nopassword, '{{ FRONT_ADDRESS }}{% if WEBMAIL_ADDRESS %},{{ WEBMAIL_ADDRESS }}{% endif %}' as allow_nets \
    FROM user \
   WHERE user.email = '%u'
 
diff --git a/core/dovecot/start.py b/core/dovecot/start.py
index f95762e3..8646da89 100755
--- a/core/dovecot/start.py
+++ b/core/dovecot/start.py
@@ -4,11 +4,13 @@ import jinja2
 import os
 import socket
 import glob
-	
+
 convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
 
 # Actual startup script
 os.environ["FRONT_ADDRESS"] = socket.gethostbyname("front")
+if os.environ["WEBMAIL"] != "none":
+	os.environ["WEBMAIL_ADDRESS"] = socket.gethostbyname("webmail")
 
 for dovecot_file in glob.glob("/conf/*"):
     convert(dovecot_file, os.path.join("/etc/dovecot", os.path.basename(dovecot_file)))
diff --git a/webmails/rainloop/default.ini b/webmails/rainloop/default.ini
index 0cb96d69..fd7cfba7 100644
--- a/webmails/rainloop/default.ini
+++ b/webmails/rainloop/default.ini
@@ -6,7 +6,7 @@ sieve_use = On
 sieve_allow_raw = Off
 sieve_host = "imap"
 sieve_port = 4190
-sieve_secure = "TLS"
+sieve_secure = "None"
 smtp_host = "front"
 smtp_port = 10025
 smtp_secure = "None"
diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php
index 60deb614..e105807a 100644
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -26,7 +26,7 @@ $config['smtp_pass'] = '%p';
 
 // Sieve script management
 $config['managesieve_host'] = 'imap';
-$config['managesieve_usetls'] = true;
+$config['managesieve_usetls'] = false;
 
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login