diff --git a/README.md b/README.md
index 7780ecf..610111e 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
  * Postfix
     - [x] starts
     - [x] receive email on port 25
-    - [ ] receive email on submission port 587 (to check)
+    - [x] receive email on submission port 587
     - [x] lmtp with dovecot
  * Dovecot
     - [x] lmpto with postfix
@@ -73,3 +73,7 @@ nixops ssh -d mail mailserver
  * configurations that need to be made after `nixos-rebuild switch`
  * complicated storage schemes
  * webclients / http-servers
+
+## Ideas for future releases
+ * Fine grained control over ownership of aliases
+ * More than one domain
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index bc34593..908f56b 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -34,14 +34,22 @@ let
   # vhosts_file :: Path
   vhosts_file = builtins.toFile "vhosts" domain;
 
+  # vaccounts_file :: Path
+  # see
+  # https://blog.grimneko.de/2011/12/24/a-bunch-of-tips-for-improving-your-postfix-setup/
+  # for details on how this file looks. By using the same file as valiases,
+  # every alias is owned (uniquely) by its user.
+  vaccounts_file = valiases_file;
+
 in
 {
   enable = true;
   networksStyle = "host";
   mapFiles."valias" = valiases_file;
-  #  mapFiles."vaccounts" = vaccounts_file; 
+  mapFiles."vaccounts" = vaccounts_file; 
   sslCert = cert;
   sslKey = key;
+  enableSubmission = true;
 
   extraConfig = 
   ''
@@ -70,19 +78,17 @@ in
     smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
   '';
 
-  extraMasterConf =
-  ''
-    # Extra Config
-    #submission inet n - n - - smtpd
-    #  -o smtpd_tls_security_level=encrypt
-    #  -o smtpd_sasl_auth_enable=yes
-    #  -o smtpd_sasl_type=dovecot
-    #  -o smtpd_sasl_path=private/auth
-    #  -o smtpd_sasl_security_options=noanonymous
-    #  -o smtpd_sasl_local_domain=$myhostname
-    #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-    #  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-    #  -o smtpd_sender_restrictions=reject_sender_login_mismatch
-    #  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-  '';
+  submissionOptions =
+  { 
+      smtpd_tls_security_level = "encrypt";
+      smtpd_sasl_auth_enable = "yes";
+      smtpd_sasl_type = "dovecot";
+      smtpd_sasl_path = "private/auth";
+      smtpd_sasl_security_options = "noanonymous";
+      smtpd_sasl_local_domain = "$myhostname";
+      smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+      smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
+      smtpd_sender_restrictions = "reject_sender_login_mismatch";
+      smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
+  };
 }