diff --git a/.env.dist b/.env.dist
index d365eb75..b35cd3db 100644
--- a/.env.dist
+++ b/.env.dist
@@ -40,18 +40,18 @@ PASSWORD_SCHEME=SHA512-CRYPT
 # Optional features
 ###################################
 
-# Choose which frontend Web server to run if any (value: nginx, nginx-no-https, none)
+# Choose which frontend Web server to run if any (value: nginx, traefik, none)
 FRONTEND=none
 
+# Choose how secure connections will behave (value: letsencrypt, cert, notls)
+TLS_FLAVOR=cert
+
 # Choose which webmail to run if any (values: roundcube, rainloop, none)
 WEBMAIL=none
 
 # Expose the admin interface in publicly (values: yes, no)
 EXPOSE_ADMIN=no
 
-# Use Letsencrypt to generate a TLS certificate (uncomment to enable)
-# ENABLE_CERTBOT=True
-
 # Dav server implementation (value: radicale, none)
 WEBDAV=none
 
diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist
index 8b6ae76d..11c8e3b0 100644
--- a/docker-compose.yml.dist
+++ b/docker-compose.yml.dist
@@ -12,6 +12,7 @@ services:
       - "$BIND_ADDRESS:443:443"
     volumes:
       - "$ROOT/certs:/certs"
+      - /var/run/docker.sock:/docker.sock:ro
 
   redis:
     image: redis:latest
@@ -87,6 +88,10 @@ services:
   admin:
     # build: admin
     image: mailu/admin:$VERSION
+    labels:
+      - traefik.enable=true
+      - traefik.frontend.rule=Host:$DOMAIN;PathPrefix:/admin/
+      - traefik.port=80
     restart: always
     env_file: .env
     ports:
@@ -100,6 +105,11 @@ services:
   webmail:
     # build: "$WEBMAIL"
     image: "mailu/$WEBMAIL:$VERSION"
+    labels:
+      - traefik.enable=true
+      - traefik.frontend.rule=Host:$DOMAIN;PathPrefix:/webmail/
+      - traefik.root.frontend.rule=Host:$DOMAIN;Path:/;AddPrefix:/webmail/
+      - traefik.port=80
     restart: always
     env_file: .env
     volumes:
diff --git a/traefik/Dockerfile b/traefik/Dockerfile
new file mode 100644
index 00000000..efb2b364
--- /dev/null
+++ b/traefik/Dockerfile
@@ -0,0 +1,8 @@
+FROM traefik:alpine
+
+RUN apk add --no-cache bash
+
+COPY conf /conf
+COPY start.sh /start.sh
+
+CMD /start.sh
diff --git a/traefik/conf/cert.toml b/traefik/conf/cert.toml
new file mode 100644
index 00000000..ab612141
--- /dev/null
+++ b/traefik/conf/cert.toml
@@ -0,0 +1,31 @@
+defaultEntryPoints = ["http", "https"]
+logLevel = "ERROR"
+accessLogsFile = "/dev/stdout"
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      MinVersion = "VersionTLS11"
+      CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
+    [[entryPoints.https.tls.certificates]]
+    CertFile = "/certs/cert.pem"
+    KeyFile = "/certs/key.pem"
+
+[docker]
+endpoint = "unix:///docker.sock"
+domain = "{{ DOMAIN }}"
+watch = true
+exposedbydefault = false
+
+[acme]
+email = "{{ POSTMASTER }}@{{ DOMAIN }}"
+storageFile = "/certs/acme.json"
+onDemand = true
+entryPoint = "https"
+
+
diff --git a/traefik/conf/letsencrypt.toml b/traefik/conf/letsencrypt.toml
new file mode 100644
index 00000000..6008dadf
--- /dev/null
+++ b/traefik/conf/letsencrypt.toml
@@ -0,0 +1,28 @@
+defaultEntryPoints = ["http", "https"]
+logLevel = "ERROR"
+accessLogsFile = "/dev/stdout"
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+      MinVersion = "VersionTLS11"
+      CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
+
+[docker]
+endpoint = "unix:///docker.sock"
+domain = "{{ DOMAIN }}"
+watch = true
+exposedbydefault = false
+
+[acme]
+email = "{{ POSTMASTER }}@{{ DOMAIN }}"
+storageFile = "/certs/acme.json"
+onDemand = true
+entryPoint = "https"
+
+
diff --git a/traefik/conf/notls.toml b/traefik/conf/notls.toml
new file mode 100644
index 00000000..3226aa3f
--- /dev/null
+++ b/traefik/conf/notls.toml
@@ -0,0 +1,14 @@
+defaultEntryPoints = ["http"]
+logLevel = "ERROR"
+accessLogsFile = "/dev/stdout"
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+
+[docker]
+endpoint = "unix:///docker.sock"
+domain = "{{ DOMAIN }}"
+watch = true
+exposedbydefault = false
+
diff --git a/traefik/start.sh b/traefik/start.sh
new file mode 100755
index 00000000..ee148a6d
--- /dev/null
+++ b/traefik/start.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Substitute configuration
+for VARIABLE in `env | cut -f1 -d=`; do
+  sed -i "s={{ $VARIABLE }}=${!VARIABLE}=g" /conf/*.toml
+done
+
+# Select the proper configuration
+cp /conf/$TLS_FLAVOR.toml /conf/traefik.toml
+
+exec traefik -c /conf/traefik.toml
+