diff --git a/default.nix b/default.nix
index 5854226..6e0cedb 100644
--- a/default.nix
+++ b/default.nix
@@ -78,6 +78,16 @@ in
             '';
           };
 
+          quota = mkOption {
+            type = with types; nullOr types.str;
+            default = null;
+            example = "2G";
+            description = ''
+              Per user quota rules. Accepted sizes are `xx k/M/G/T` with the
+              obvious meaning. Leave blank for the standard quota `100G`.
+            '';
+          };
+
           sieveScript = mkOption {
             type = with types; nullOr lines;
             default = null;
diff --git a/mail-server/common.nix b/mail-server/common.nix
index 56373bd..015bfda 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -20,7 +20,10 @@ let
   cfg = config.mailserver;
   # passwd :: [ String ]
   passwd = lib.mapAttrsToList
-    (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:")
+    (name: value: "${name}:${value.hashedPassword}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
+     + (if lib.isString value.quota
+            then "userdb_quota_rule=*:storage=${value.quota}"
+            else ""))
             cfg.loginAccounts;
 in
 {
@@ -41,6 +44,7 @@ in
               else if cfg.certificateScheme == 3
                    then "/var/lib/acme/${cfg.fqdn}/key.pem"
                    else throw "Error: Certificate Scheme must be in { 1, 2, 3 }";
+
   # passwdFile :: PATH
   passwdFile = builtins.toFile "passwd" (lib.concatStringsSep "\n" passwd);
 }
diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 39cf35e..61f1fa8 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -32,6 +32,7 @@ in
       enableImap = enableImap;
       enablePop3 = enablePop3;
       enablePAM = false;
+      enableQuota = true;
       mailGroup = vmailGroupName;
       mailUser = vmailUserName;
       mailLocation = dovecot_maildir;
@@ -80,6 +81,11 @@ in
           args = ${passwdFile}
         }
 
+        userdb {
+          driver = passwd-file
+          args = ${passwdFile}
+        }
+
         service auth {
           unix_listener /var/lib/postfix/queue/private/auth {
             mode = 0660
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 5b373f9..55b8243 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -124,6 +124,9 @@ in
         smtpd_sasl_auth_enable = yes
         smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 
+        # quota
+        smtpd_recipient_restrictions = check_policy_service inet:mailstore.example.com:12340
+
         # TLS settings, inspired by https://github.com/jeaye/nix-files
         # Submission by mail clients is handled in submissionOptions
         smtpd_tls_security_level = may