diff --git a/roles/dmz_prosody_front/meta.OK/main.yml b/roles/dmz_prosody_front/meta.OK/main.yml
index 5961be5..ef74b53 100644
--- a/roles/dmz_prosody_front/meta.OK/main.yml
+++ b/roles/dmz_prosody_front/meta.OK/main.yml
@@ -6,4 +6,5 @@
 dependencies:
   - role: cleanupdate
   - role: ldap
+  - role: dmz_haproxy
   - role: dmz_nginx
diff --git a/roles/dmz_prosody_front/tasks/main.yml b/roles/dmz_prosody_front/tasks/main.yml
index 72a707c..1d90036 100644
--- a/roles/dmz_prosody_front/tasks/main.yml
+++ b/roles/dmz_prosody_front/tasks/main.yml
@@ -30,7 +30,7 @@
       [
         "lua52-event",
         "lua52-lpty",
-        "prosody-mod-auth-external-hg",
+        "prosody-mod-auth-imap-hg",
         "prosody-mod-auto-accept-subscriptions-hg",
         "prosody-mod-filter-chatstates-hg",
         "prosody-mod-http-upload-external-hg",
@@ -152,58 +152,18 @@
   notify:
     - restart prosody.service
 
-- name: set BASH authentication
+- name: set IMAP authentication
   lineinfile:
     path: /etc/prosody/prosody.cfg.lua
     regexp: '^\s*authentication\s*='
-    line: 'authentication = "external"'
+    line: 'authentication = "imap"'
   notify:
     - restart prosody.service
 
-- name: send authentication script
-  copy:
-    content: |
-      #!/bin/bash
-      function ldap_esc() {
-        printf %s "$1" | (LANG=C
-          grep -o . | while IFS='' read -r c; do
-            [[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
-          done)
-      }
-      function do_auth() {
-        local u d p
-        IFS=: read u d p <<<"$1"
-        ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
-          -D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
-      }
-      function do_isuser() {
-        local u d
-        IFS=: read u d <<<"$1"
-        ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
-          -b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
-      }
-      function do_setpass() {
-        false
-      }
-      while true; do
-        IFS=: read fct params || { sleep 1s; continue; }
-        case "$fct" in
-        auth) do_auth "$params" ;;
-        isuser) do_isuser "$params" ;;
-        setpass) do_setpass "$params" ;;
-        *) false ;;
-        esac >/dev/null
-        if [ $? -eq 0 ]; then
-          echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
-          echo 1
-        else
-          echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
-          echo 0
-        fi
-      done
+- name: remove authentication script
+  file:
+    state: absent
     dest: /etc/prosody/external_auth.sh
-    owner: prosody
-    mode: 0500
 
 - name: set SQL storage
   lineinfile:
@@ -225,13 +185,20 @@
       password = "{{prosody_db_password}}",
       host = "/run/shared_sockets"}
 
+- name: restrict syslog (“debug” may contain passwords!)
+  lineinfile:
+    path: /etc/prosody/prosody.cfg.lua
+    regexp: '^(\s*(?:--\s*)?)"*syslog"'
+    backrefs: true
+    line: '\1{ to = "syslog", levels = { min = "info" } };'
+
 - name: custom extra configuration
   blockinfile:
     path: /etc/prosody/prosody.cfg.lua
     marker: '-- {mark} Additional configuration'
     block: |
-      -- configure bash authentication
-      external_auth_command = "/etc/prosody/external_auth.sh"
+      -- configure IMAP authentication
+      auth_imap_verify_certificate = false
       -- hide OS type from mod_version output
       hide_os_type = true
       -- limit registration