diff --git a/baseimage/initializeBaseUbuntuImage.sh b/baseimage/initializeBaseUbuntuImage.sh
index 57a90a160..09d74ab6a 100644
--- a/baseimage/initializeBaseUbuntuImage.sh
+++ b/baseimage/initializeBaseUbuntuImage.sh
@@ -179,6 +179,9 @@ else
 
     echo "=== Pulling mail relay ==="
     docker pull "${MAIL_IMAGE}"
+
+    echo "=== Pulling recvmail ==="
+    docker pull "${RECVMAIL_IMAGE}"
 fi
 
 echo "==== Install nginx ===="
diff --git a/src/INFRA_VERSION b/src/INFRA_VERSION
index 3b74d0363..2485c96e5 100644
--- a/src/INFRA_VERSION
+++ b/src/INFRA_VERSION
@@ -14,6 +14,7 @@ MONGODB_IMAGE=cloudron/mongodb:0.9.0
 REDIS_IMAGE=cloudron/redis:0.8.0 # if you change this, fix src/addons.js as well
 MAIL_IMAGE=cloudron/mail:0.12.0
 GRAPHITE_IMAGE=cloudron/graphite:0.8.0
+RECVMAIL_IMAGE=cloudron/recvmail:0.1.0
 
 MYSQL_REPO=cloudron/mysql
 POSTGRESQL_REPO=cloudron/postgresql
diff --git a/src/addons.js b/src/addons.js
index 05b52f673..724b1a7bf 100644
--- a/src/addons.js
+++ b/src/addons.js
@@ -35,6 +35,7 @@ var appdb = require('./appdb.js'),
     path = require('path'),
     paths = require('./paths.js'),
     safe = require('safetydance'),
+    settings = require('./settings.js'),
     shell = require('./shell.js'),
     util = require('util'),
     uuid = require('node-uuid');
@@ -129,7 +130,7 @@ function initialize(callback) {
     certificates.getAdminCertificatePath(function (error, certFilePath, keyFilePath) {
         if (error) return callback(error);
 
-        shell.sudo('seutp_infra', [ SETUP_INFRA_CMD, config.fqdn(), config.adminFqdn(), certFilePath, keyFilePath ], callback);
+        shell.sudo('seutp_infra', [ SETUP_INFRA_CMD, config.fqdn(), config.adminFqdn(), certFilePath, keyFilePath, settings.isIncomingMailEnabled() ], callback);
     });
 }
 
diff --git a/src/cloudron.js b/src/cloudron.js
index 50b95ee0a..1baf6425a 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -63,8 +63,6 @@ var REBOOT_CMD = path.join(__dirname, 'scripts/reboot.sh'),
 
 var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 
-var ENABLE_INCOMING_MAIL = true;         // TODO: make settings
-
 var gUpdatingDns = false,                // flag for dns update reentrancy
     gCloudronDetails = null,             // cached cloudron details like region,size...
     gAppstoreUserDetails = {},
@@ -458,7 +456,7 @@ function addDnsRecords() {
         if (config.isCustomDomain()) {
             records.push(webadminRecord);
             records.push(dkimRecord);
-            if (ENABLE_INCOMING_MAIL) records.push(mxRecord);
+            if (settings.isIncomingMailEnabled()) records.push(mxRecord);
         } else {
             // for custom domains, we show a nakeddomain.html page
             var nakedDomainRecord = { subdomain: '', type: 'A', values: [ ip ] };
@@ -467,7 +465,7 @@ function addDnsRecords() {
             records.push(webadminRecord);
             records.push(dkimRecord);
             records.push(dmarcRecord);
-            if (ENABLE_INCOMING_MAIL) records.push(mxRecord);
+            if (settings.isIncomingMailEnabled()) records.push(mxRecord);
         }
 
         debug('addDnsRecords: %j', records);
diff --git a/src/scripts/setup_infra.sh b/src/scripts/setup_infra.sh
index a24ca664f..0f3aef960 100755
--- a/src/scripts/setup_infra.sh
+++ b/src/scripts/setup_infra.sh
@@ -21,6 +21,7 @@ readonly fqdn="$1"
 readonly mail_fqdn="$2"
 readonly mail_tls_cert="$3"
 readonly mail_tls_key="$4"
+readonly enable_incoming_mail="$5"
 
 # removing containers ensures containers are launched with latest config updates
 # restore code in appatask does not delete old containers
@@ -55,6 +56,25 @@ if docker images "${GRAPHITE_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | g
     echo "Removed old graphite images"
 fi
 
+# recvmail (exposes port 993 and 25)
+if [[ "${enable_incoming_mail}" == "true" ]]; then
+    recvmail_container_id=$(docker run --restart=always -d --name="recvmail" \
+        -m 75m \
+        --memory-swap 150m \
+        -h "${fqdn}" \
+        -v "${DATA_DIR}/box/recvmail:/app/data" \
+        -v "${mail_tls_key}:/etc/tls_key.pem:ro" \
+        -v "${mail_tls_cert}:/etc/tls_cert.pem:ro" \
+        -p 993:9993 \
+        -p 25:25 \
+        --read-only -v /tmp -v /run \
+        "${RECVMAIL_IMAGE}")
+    echo "recvmail container id: ${recvmail_container_id}"
+    if docker images "${RECVMAIL_IMAGE}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${RECVMAIL_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+        echo "Removed old recvmail images"
+    fi
+fi
+
 # mail (MAIL_SMTP_PORT is 2500 in addons.js. used in mailer.js as well)
 # MAIL_SERVER_NAME is the hostname of the mailserver i.e server uses these certs
 # MAIL_DOMAIN is the domain for which this server is relaying mails
@@ -67,6 +87,7 @@ mail_container_id=$(docker run --restart=always -d --name="mail" \
     -v "${DATA_DIR}/box/mail:/app/data" \
     -v "${mail_tls_key}:/etc/tls_key.pem:ro" \
     -v "${mail_tls_cert}:/etc/tls_cert.pem:ro" \
+    -p 587:2500 \
     --read-only -v /tmp -v /run \
     "${MAIL_IMAGE}")
 echo "Mail container id: ${mail_container_id}"
diff --git a/src/settings.js b/src/settings.js
index ed035b8c0..c4b50f945 100644
--- a/src/settings.js
+++ b/src/settings.js
@@ -35,6 +35,9 @@ exports = module.exports = {
     getDefaultSync: getDefaultSync,
     getAll: getAll,
 
+    // TODO: make proper setting
+    isIncomingMailEnabled: function () { return true; },
+
     AUTOUPDATE_PATTERN_KEY: 'autoupdate_pattern',
     TIME_ZONE_KEY: 'time_zone',
     CLOUDRON_NAME_KEY: 'cloudron_name',