diff --git a/README.md b/README.md
index 9434f1f..b6d8be2 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,14 @@ Puis pour jouer les *playbooks* :
 - Pour configurer Passbolt : `ansible-playbook passbolt.yml`
   (attention voir [#15](https://github.com/laxathom/ansible-role-passbolt/issues/15)).
 
+## TODO
+
+### Mailman 3
+
+Mailman 3 est installé sur https://mm3.afpy.org, Julien a un compte
+super user, vous pouvez en demander un aussi. le mailman peut envoyer
+des mails via exim4, mais pour le moment aucune mailing list.
+
 
 ## Faire, ne pas faire
 
diff --git a/afpy.org.yml b/afpy.org.yml
index 8119fc3..f0aa621 100644
--- a/afpy.org.yml
+++ b/afpy.org.yml
@@ -44,13 +44,23 @@
               server_name www.afpy.org afpy.org;
               access_log /var/log/nginx/afpy.org-access.log;
               error_log /var/log/nginx/afpy.org-error.log;
-              return 301 https://$host$request_uri;
+              return 301 https://www.afpy.org$request_uri;
           }
 
           server
           {
               listen 443 ssl;
-              server_name www.afpy.org afpy.org;
+              server_name afpy.org;
+              access_log /var/log/nginx/afpy.org-access.log;
+              error_log /var/log/nginx/afpy.org-error.log;
+              include snippets/letsencrypt-afpy.org.conf;
+              return 301 https://www.afpy.org$request_uri;
+          }
+
+          server
+          {
+              listen 443 ssl;
+              server_name www.afpy.org;
               access_log /var/log/nginx/afpy.org-access.log;
               error_log /var/log/nginx/afpy.org-error.log;
               root /var/www/afpy.org/;
diff --git a/inventory b/inventory
index 73e09d6..93dd122 100644
--- a/inventory
+++ b/inventory
@@ -15,3 +15,6 @@ deb.afpy.org
 
 [afpyros]
 deb.afpy.org
+
+[mailmans]
+deb.afpy.org
diff --git a/mm3.yml b/mm3.yml
new file mode 100644
index 0000000..8df433a
--- /dev/null
+++ b/mm3.yml
@@ -0,0 +1,10 @@
+---
+
+- hosts: mailmans
+  tasks:
+    - name: Basic setup
+      include_role: name=common
+
+    - name: Mailman setup
+      tags: always
+      include_role: name=mailman
diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml
new file mode 100644
index 0000000..87c1b22
--- /dev/null
+++ b/roles/mailman/tasks/main.yml
@@ -0,0 +1,120 @@
+---
+
+- block:
+  - name: Install mailman
+    apt:
+      state: present
+      name: [mailman3-full, nginx, python3-psycopg2]
+
+  - name: Create mm3 nginx log directory
+    file:
+      path: /var/log/nginx/mailman3
+      owner: www-data
+      group: adm
+      state: directory
+
+  - name: Create mailman3 postgres user
+    become: true
+    become_user: postgres
+    postgresql_user:
+      user: list
+
+  - name: Create mailman3 postgres db
+    become: true
+    become_user: postgres
+    postgresql_db:
+      name: mailman3
+      owner: list
+
+  - name: Configure mailman to connect via unix socket
+    lineinfile:
+      path: /etc/mailman3/mailman.cfg
+      line: 'url: postgres://list@/mailman3'
+      regex: '^url: postgres://'
+
+  - name: Configure mailman siteowner
+    lineinfile:
+      path: /etc/mailman3/mailman.cfg
+      line: 'site_owner: julien@palard.fr'
+      regex: '^site_owner:'
+
+  - name: Configure mailman language
+    lineinfile:
+      path: /etc/mailman3/mailman.cfg
+      line: 'default_language: fr'
+      regex: '^default_language:'
+
+  - name: Configure mailman to use exim4 LMTP
+    lineinfile:
+      path: /etc/mailman3/mailman.cfg
+      line: 'incoming: mailman.mta.exim4.LMTP'
+      regex: '^incoming: mailman.mta'
+
+  - name: Configure mailman to use exim4
+    lineinfile:
+      path: /etc/mailman3/mailman.cfg
+      line: 'configuration: python:mailman.config.exim4'
+      regex: 'configuration: python:mailman.config.'
+
+  - name: Configure exim4 macros
+    template:
+      src: 25_mm3_macros.j2
+      dest: /etc/exim4/conf.d/main/25_mm3_macros
+
+  - name: Configure exim4 router
+    template:
+      src: 455_mm3_router.j2
+      dest: /etc/exim4/conf.d/router/455_mm3_router
+
+  - name: Configure exim4 transport
+    template:
+      src: 55_mm3_transport.j2
+      dest: /etc/exim4/conf.d/transport/55_mm3_transport
+
+  - name: Configure nginx
+    include_role: name=julienpalard.nginx
+    vars:
+      nginx_domain: mm3.afpy.org
+      nginx_certificates: [mm3.afpy.org]
+      nginx_owner: mm3
+      nginx_conf: |
+        upstream mailman3 {
+            server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
+        }
+
+        server {
+            listen 80;
+            server_name mm3.afpy.org;
+            server_tokens off;
+
+            return 301 https://$server_name$request_uri;
+            access_log /var/log/nginx/mailman3/access.log combined;
+            error_log /var/log/nginx/mailman3/error.log;
+        }
+
+        server {
+            listen 443 ssl;
+            server_name mm3.afpy.org;
+            server_tokens off;
+
+            include snippets/letsencrypt-mm3.afpy.org.conf;
+
+            location / {
+                uwsgi_pass mailman3;
+                include /etc/nginx/uwsgi_params;
+            }
+
+            location /mailman3/static {
+                alias /var/lib/mailman3/web/static;
+            }
+
+            location /mailman3/static/favicon.ico {
+                alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
+            }
+
+            access_log /var/log/nginx/mailman3/access.log combined;
+            error_log /var/log/nginx/mailman3/error.log;
+        }
+
+
+  tags: mailman
diff --git a/roles/mailman/templates/25_mm3_macros.j2 b/roles/mailman/templates/25_mm3_macros.j2
new file mode 100644
index 0000000..470fb0e
--- /dev/null
+++ b/roles/mailman/templates/25_mm3_macros.j2
@@ -0,0 +1,18 @@
+# The colon-separated list of domains served by Mailman.
+domainlist mm_domains=lists.afpy.org
+
+MM3_LMTP_PORT=8024
+
+# MM3_HOME must be set to mailman's var directory, wherever it is
+# according to your installation.
+MM3_HOME=/opt/mailman/var
+MM3_UID=list
+MM3_GID=list
+
+################################################################
+# The configuration below is boilerplate:
+# you should not need to change it.
+
+# The path to the list receipt (used as the required file when
+# matching list addresses)
+MM3_LISTCHK=MM3_HOME/lists/${local_part}.${domain}
diff --git a/roles/mailman/templates/455_mm3_router b/roles/mailman/templates/455_mm3_router
new file mode 100644
index 0000000..642977a
--- /dev/null
+++ b/roles/mailman/templates/455_mm3_router
@@ -0,0 +1,21 @@
+mailman3_router:
+  driver = accept
+  domains = +mm_domains
+  require_files = MM3_LISTCHK
+  local_part_suffix_optional
+  local_part_suffix = \
+     -bounces   : -bounces+* : \
+     -confirm   : -confirm+* : \
+     -join      : -leave     : \
+     -owner     : -request   : \
+     -subscribe : -unsubscribe
+  transport = mailman3_transport
+
+# /etc/exim4/conf.d/transport/55_mm3_transport
+mailman3_transport:
+  driver = smtp
+  protocol = lmtp
+  allow_localhost
+  hosts = localhost
+  port = MM3_LMTP_PORT
+  rcpt_include_affixes = true
diff --git a/roles/mailman/templates/455_mm3_router.j2 b/roles/mailman/templates/455_mm3_router.j2
new file mode 100644
index 0000000..e08ecb4
--- /dev/null
+++ b/roles/mailman/templates/455_mm3_router.j2
@@ -0,0 +1,12 @@
+mailman3_router:
+  driver = accept
+  domains = +mm_domains
+  require_files = MM3_LISTCHK
+  local_part_suffix_optional
+  local_part_suffix = \
+     -bounces   : -bounces+* : \
+     -confirm   : -confirm+* : \
+     -join      : -leave     : \
+     -owner     : -request   : \
+     -subscribe : -unsubscribe
+  transport = mailman3_transport
diff --git a/roles/mailman/templates/55_mm3_transport.j2 b/roles/mailman/templates/55_mm3_transport.j2
new file mode 100644
index 0000000..826f27d
--- /dev/null
+++ b/roles/mailman/templates/55_mm3_transport.j2
@@ -0,0 +1,7 @@
+mailman3_transport:
+  driver = smtp
+  protocol = lmtp
+  allow_localhost
+  hosts = localhost
+  port = MM3_LMTP_PORT
+  rcpt_include_affixes = true