diff --git a/conf/schema/postfix.schema b/conf/schema/postfix.schema
index 8056998e..19679ce8 100644
--- a/conf/schema/postfix.schema
+++ b/conf/schema/postfix.schema
@@ -18,12 +18,12 @@ objectIdentifier MiabLDAPmail MiabLDAProot:2
 objectIdentifier MiabLDAPmailAttributeType MiabLDAPmail:1
 objectIdentifier MiabLDAPmailObjectClass MiabLDAPmail:2
 
-attributetype ( 1.3.6.1.4.1.15347.2.102 
-	NAME 'transport' 
+attributetype ( 1.3.6.1.4.1.15347.2.102
+	NAME 'transport'
 	SUP name)
 
-attributetype ( 1.3.6.1.4.1.15347.2.101 
-	NAME 'mailRoutingAddress' 
+attributetype ( 1.3.6.1.4.1.15347.2.101
+	NAME 'mailRoutingAddress'
 	SUP mail )
 
 attributetype ( 1.3.6.1.4.1.15347.2.110 NAME 'maildest'
@@ -56,13 +56,31 @@ attributetype ( MiabLDAPmailAttributeType:1 NAME 'mailMember' DESC 'RFC6532 utf8
 # create a utf8 version of core 'domainComponent'
 attributetype ( MiabLDAPmailAttributeType:2 NAME 'dcIntl' DESC 'UTF8 domain component' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
 
+# create a mda/lda user mailbox quota (for dovecot)
+# format: number | number 'K' | number 'M' | number 'G'
+attributetype ( MiabLDAPmailAttributeType:3
+	DESC 'MDA/LDA user mailbox quota'
+	NAME 'mailboxQuota'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE
+	EQUALITY caseExactMatch )
+
+# dovecot supports more than one quota rule (but no way to use a
+# multi-valued attribute). add a second attribute for a second quota
+# rule even though we're not using more than one anticipating that we
+# might in the future and avoid a schema update
+attributetype ( MiabLDAPmailAttributeType:4
+	DESC 'MDA/LDA user mailbox quota 2'
+	NAME 'mailboxQuota2'
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE
+	EQUALITY caseExactMatch )
+
 objectclass ( 1.3.6.1.4.1.15347.2.1
 	NAME 'mailUser'
 	DESC 'E-Mail User'
 	SUP top
 	AUXILIARY
 	MUST ( uid $ mail $ maildrop )
-	MAY ( cn $ mailbox $ maildest $ mailaccess )
+	MAY ( cn $ mailbox $ maildest $ mailaccess $ mailboxQuota )
 	)
 
 objectclass ( 1.3.6.1.4.1.15347.2.2
diff --git a/management/cli.py b/management/cli.py
index 06b10f91..28aa3912 100755
--- a/management/cli.py
+++ b/management/cli.py
@@ -18,13 +18,13 @@
 import sys, getpass, urllib.request, urllib.error, json, csv
 import contextlib
 
-def mgmt(cmd, data=None, is_json=False):
+def mgmt(cmd, data=None, is_json=False, method='GET'):
 	# The base URL for the management daemon. (Listens on IPv4 only.)
 	mgmt_uri = 'http://127.0.0.1:10222'
 
 	setup_key_auth(mgmt_uri)
 
-	req = urllib.request.Request(mgmt_uri + cmd, urllib.parse.urlencode(data).encode("utf8") if data else None)
+	req = urllib.request.Request(mgmt_uri + cmd, urllib.parse.urlencode(data).encode("utf8") if data else None, method=method)
 	try:
 		response = urllib.request.urlopen(req)
 	except urllib.error.HTTPError as e:
@@ -74,6 +74,7 @@ if len(sys.argv) < 2:
   {cli} user password user@domain.com [password]
   {cli} user remove user@domain.com
   {cli} user make-admin user@domain.com
+  {cli} user quota user@domain [new-quota]       (get or set user quota)
   {cli} user remove-admin user@domain.com
   {cli} user admins                              (lists admins)
   {cli} user mfa show user@domain.com            (shows MFA devices for user, if any)
@@ -97,6 +98,10 @@ elif sys.argv[1] == "user" and len(sys.argv) == 2:
 			print(user['email'], end='')
 			if "admin" in user['privileges']:
 				print("*", end='')
+			if user['quota'] == '0':
+				print(" unlimited", end='')
+			else:
+				print(" " + user['quota'], end='')
 			print()
 
 elif sys.argv[1] == "user" and sys.argv[2] in {"add", "password"}:
@@ -126,6 +131,14 @@ elif sys.argv[1] == "user" and sys.argv[2] == "admins":
 			if "admin" in user['privileges']:
 				print(user['email'])
 
+elif sys.argv[1] == "user" and sys.argv[2] == "quota" and len(sys.argv) == 4:
+	# Get a user's quota
+	print(mgmt("/mail/users/quota?text=1&email=%s" % sys.argv[3]))
+
+elif sys.argv[1] == "user" and sys.argv[2] == "quota" and len(sys.argv) == 5:
+	# Set a user's quota
+	users = mgmt("/mail/users/quota", { "email": sys.argv[3], "quota": sys.argv[4] }, method='POST')
+
 elif sys.argv[1] == "user" and len(sys.argv) == 5 and sys.argv[2:4] == ["mfa", "show"]:
 	# Show MFA status for a user.
 	status = mgmt("/mfa/status", { "user": sys.argv[4] }, is_json=True)
@@ -150,4 +163,3 @@ elif sys.argv[1] == "alias" and sys.argv[2] == "remove" and len(sys.argv) == 4:
 else:
 	print("Invalid command-line arguments.")
 	sys.exit(1)
-
diff --git a/management/daemon.py b/management/daemon.py
index 3048ea29..1b521b06 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -30,6 +30,7 @@ import auth, utils
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, set_mail_display_name, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
+from mailconfig import get_mail_quota, set_mail_quota
 from mfa import get_public_mfa_state, enable_mfa, disable_mfa
 import mfa_totp
 import contextlib
@@ -201,8 +202,31 @@ def mail_users():
 @app.route('/mail/users/add', methods=['POST'])
 @authorized_personnel_only
 def mail_users_add():
+	quota = request.form.get('quota', '0')
 	try:
-		return add_mail_user(request.form.get('email', ''), request.form.get('password', ''), request.form.get('privileges', ''), request.form.get('display_name', ''), env)
+		return add_mail_user(request.form.get('email', ''), request.form.get('password', ''), request.form.get('privileges', ''), quota, request.form.get('display_name', ''), env)
+	except ValueError as e:
+		return (str(e), 400)
+
+@app.route('/mail/users/quota', methods=['GET'])
+@authorized_personnel_only
+def get_mail_users_quota():
+	email = request.values.get('email', '')
+	quota = get_mail_quota(email, env)
+
+	if request.values.get('text'):
+		return quota
+
+	return json_response({
+		"email": email,
+		"quota": quota
+	})
+
+@app.route('/mail/users/quota', methods=['POST'])
+@authorized_personnel_only
+def mail_users_quota():
+	try:
+		return set_mail_quota(request.form.get('email', ''), request.form.get('quota'), env)
 	except ValueError as e:
 		return (str(e), 400)
 
diff --git a/management/mailconfig.py b/management/mailconfig.py
index c5ad39e6..3404ae87 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -19,8 +19,11 @@
 # Python 3 in setup/questions.sh to validate the email
 # address entered by the user.
 
-import subprocess, shutil, os, sqlite3, re, ldap3, uuid, hashlib
-import utils, backend
+import os, sqlite3, re
+import subprocess
+import ldap3, uuid, hashlib, backend
+
+import utils
 from email_validator import validate_email as validate_email_, EmailNotValidError
 import idna
 import socket
@@ -283,6 +286,18 @@ def get_mail_users(env, as_map=False, map_by="maildrop"):
 		return utils.sort_email_addresses(users, env)
 
 
+def sizeof_fmt(num):
+	for unit in ['','K','M','G','T']:
+		if abs(num) < 1024.0:
+			if abs(num) > 99:
+				return "%3.0f%s" % (num, unit)
+			else:
+				return "%2.1f%s" % (num, unit)
+
+		num /= 1024.0
+
+	return str(num)
+
 def get_mail_users_ex(env, with_archived=False):
 	# Returns a complex data structure of all user accounts, optionally
 	# including archived (status="inactive") accounts.
@@ -307,20 +322,52 @@ def get_mail_users_ex(env, with_archived=False):
 	users = []
 	active_accounts = set()
 	c = open_database(env)
-	response = c.wait( c.search(env.LDAP_USERS_BASE, "(objectClass=mailUser)", attributes=['mail','maildrop','mailaccess','cn']) )
+	response = c.wait( c.search(env.LDAP_USERS_BASE, "(objectClass=mailUser)", attributes=['mail','maildrop','mailaccess','mailboxQuota','cn']) )
 
 	for rec in response:
 		#email = rec['maildrop'][0]
 		email = rec['mail'][0]
 		privileges = rec['mailaccess']
+		quota = rec['mailboxQuota'][0] if len(rec['mailboxQuota']>0) else '0'
 		display_name = rec['cn'][0]
 		active_accounts.add(email)
+
+		(user, domain) = email.split('@')
+		box_size = 0
+		box_quota = 0
+		percent = ''
+		try:
+			dirsize_file = os.path.join(env['STORAGE_ROOT'], 'mail/mailboxes/%s/%s/maildirsize' % (domain, user))
+			with open(dirsize_file, 'r') as f:
+				box_quota = int(f.readline().split('S')[0])
+				for line in f.readlines():
+					(size, count) = line.split(' ')
+					box_size += int(size)
+
+			try:
+				percent = (box_size / box_quota) * 100
+			except:
+				percent = 'Error'
+
+		except:
+			box_size = '?'
+			box_quota = '?'
+			percent = '?'
+
+		if quota == '0':
+			percent = ''
+
 		user = {
 			"email": email,
 			"privileges": privileges,
+			"quota": quota,
 			"status": "active",
-			"display_name": display_name
+			"display_name": display_name,
+			"box_quota": box_quota,
+			"box_size": sizeof_fmt(box_size) if box_size != '?' else box_size,
+			"percent": '%3.0f%%' % percent if type(percent) != str else percent,
 		}
+
 		users.append(user)
 
 	# Add in archived accounts.
@@ -338,6 +385,9 @@ def get_mail_users_ex(env, with_archived=False):
 						"status": "inactive",
 						"mailbox": mbox,
 						"display_name": ""
+                        "box_size": '?',
+                        "box_quota": '?',
+                        "percent": '?',
 					}
 					users.append(user)
 
@@ -697,12 +747,13 @@ def remove_mail_domain(env, domain_idna, validate=True):
 	return True
 
 
-def add_mail_user(email, pw, privs, display_name, env):
+def add_mail_user(email, pw, privs, quota, display_name, env):
 	# Add a new mail user.
 	#
 	# email: the new user's email address (idna)
 	# pw: the new user's password
 	# privs: either an array of privilege strings, or a newline
+	# quota: a string (number | number 'M' | number 'G') or None
 	# separated string of privilege names
 	# display_name: a string with users givenname and surname (eg "Al Woods")
 	#
@@ -735,6 +786,14 @@ def add_mail_user(email, pw, privs, display_name, env):
 		validation = validate_privilege(p)
 		if validation: return validation
 
+	if quota is None:
+		quota = '0'
+
+	try:
+		quota = validate_quota(quota)
+	except ValueError as e:
+		return (str(e), 400)
+
 	# get the database
 	conn = open_database(env)
 
@@ -773,6 +832,7 @@ def add_mail_user(email, pw, privs, display_name, env):
 		"maildrop" : email.lower(),
 		"uid" : uid,
 		"mailaccess": privs,
+		"mailboxQuota": quota,
 		"cn": cn,
 		"sn": sn,
 		"shadowLastChange": backend.get_shadowLastChanged()
@@ -805,6 +865,8 @@ def add_mail_user(email, pw, privs, display_name, env):
 	# convert alias's mailMember to member
 	convert_mailMember(env, conn, dn, email)
 
+	dovecot_quota_recalc(email)
+
 	# Update things in case any new domains are added.
 	if domain_added:
 		return kick(env, return_status)
@@ -867,6 +929,53 @@ def validate_login(email, pw, env):
 		return False
 
 
+
+def get_mail_quota(email, env):
+	user = find_mail_user(env, email, ['mailboxQuota'])
+	if user is None:
+		return ("That's not a user (%s)." % email, 400)
+	if len(user['mailboxQuota'])==0:
+		return '0'
+	else:
+		return user['mailboxQuota'][0]
+
+def set_mail_quota(email, quota, env):
+	# validate that password is acceptable
+	quota = validate_quota(quota)
+
+	# update the database
+	conn = open_database(env)
+	user = find_mail_user(env, email, ['mailboxQuota'], conn)
+	if user is None:
+		return ("That's not a user (%s)." % email, 400)
+
+	conn.modify_record(user, { 'mailboxQuota': quota })
+	dovecot_quota_recalc(email)
+	return "OK"
+
+def dovecot_quota_recalc(email):
+	# dovecot processes running for the user will not recognize the new quota setting
+	# a reload is necessary to reread the quota setting, but it will also shut down
+	# running dovecot processes.  Email clients generally log back in when they lose
+	# a connection.
+	# subprocess.call(['doveadm', 'reload'])
+
+	# force dovecot to recalculate the quota info for the user.
+	subprocess.call(["doveadm", "quota", "recalc", "-u", email])
+
+def validate_quota(quota):
+	# validate quota
+	quota = quota.strip().upper()
+
+	if quota == "":
+		raise ValueError("No quota provided.")
+	if re.search(r"[\s,.]", quota):
+		raise ValueError("Quotas cannot contain spaces, commas, or decimal points.")
+	if not re.match(r'^[\d]+[GMK]?$', quota):
+		raise ValueError("Invalid quota.")
+
+	return quota
+
 def get_mail_password(email, env):
 	# Gets the hashed passwords for a user. In ldap, userPassword is
 	# multi-valued and each value can have different hash. This
diff --git a/management/templates/users.html b/management/templates/users.html
index 1dca56cb..84c65e99 100644
--- a/management/templates/users.html
+++ b/management/templates/users.html
@@ -6,6 +6,7 @@
 #user_table .account_inactive .if_active { display: none; }
 #user_table .account_active .if_inactive { display: none; }
 #user_table .account_active.if_inactive { display: none; }
+.row-center { text-align: center; }
 </style>
 
 <h3>Add a mail user</h3>
@@ -31,11 +32,13 @@
     </select>
   </div>
   <div class="form-group">
+    <label class="sr-only" for="adduserQuota">Quota</label>
+    <input type="text" class="form-control" id="adduserQuota" placeholder="Quota" style="width:5em;" value="0">
     <div>Display Name</div>
     <input id="adduserDisplayName" class="form-control" type="text" placeholder="eg: John Smith">
   </div>
   <div class="text-center">
-    <div>&nbsp;</div>    
+    <div>&nbsp;</div>
     <button type="submit" class="btn btn-primary">Add User</button>
   </div>
 </form>
@@ -44,13 +47,17 @@
   <li>Use <a href="#aliases">aliases</a> to create email addresses that forward to existing accounts.</li>
   <li>Administrators get access to this control panel.</li>
   <li>User accounts cannot contain any international (non-ASCII) characters, but <a href="#aliases">aliases</a> can.</li>
+  <li>Quotas may not contain any spaces, commas or decimal points. Suffixes of G (gigabytes) and M (megabytes) are allowed.  For unlimited storage enter 0 (zero)</li>
 </ul>
 
 <h3>Existing mail users</h3>
 <table id="user_table" class="table" style="width: auto">
   <thead>
     <tr>
-      <th width="50%">Email Address</th>
+      <th width="35%">Email Address</th>
+      <th class="row-center">Size</th>
+      <th class="row-center">Used</th>
+      <th class="row-center">Quota</th>
       <th>Actions</th>
     </tr>
   </thead>
@@ -64,10 +71,21 @@
     <td>
       <span class="address"></span> <span class="display_name_wrapper">(<a class="display_name" href="#" onclick="users_set_displayname(this); return false;" title="Change display name"></a>)</span>
     </td>
+    <td class="box-size row-center"></td>
+    <td class="percent row-center"></td>
+	<td class="quota row-center">
+	</td>
     <td class='actions'>
         <span class='privs'>
         </span>
 
+        <span class="if_active">
+          <a href="#" onclick="users_set_quota(this); return false;" class='setquota' title="Set Quota">
+              set quota
+          </a>
+          |
+        </span>
+
         <span class="if_active">
           <a href="#" onclick="users_set_password(this); return false;" class='setpw' title="Set Password">
             set password
@@ -108,10 +126,28 @@
 <table class="table" style="margin-top: .5em">
 <thead><th>Verb</th> <th>Action</th><th></th></thead>
 <tr><td>GET</td><td><i>(none)</i></td> <td>Returns a list of existing mail users. Adding <code>?format=json</code> to the URL will give JSON-encoded results.</td></tr>
-<tr><td>POST</td><td>/add</td> <td>Adds a new mail user. Required POST-body parameters are <code>email</code> and <code>password</code>.</td></tr>
-<tr><td>POST</td><td>/remove</td> <td>Removes a mail user. Required POST-body parameter is <code>email</code>.</td></tr>
+<tr>
+    <td>POST</td>
+    <td>/add</td>
+    <td>Adds a new mail user. Required POST-body parameters are <code>email</code> and <code>password</code>. Optional parameters: <code>privilege=admin</code> and <code>quota</code></td>
+</tr>
+<tr>
+    <td>POST</td>
+    <td>/remove</td>
+    <td>Removes a mail user. Required POST-by parameter is <code>email</code>.</td>
+</tr>
 <tr><td>POST</td><td>/privileges/add</td> <td>Used to make a mail user an admin. Required POST-body parameters are <code>email</code> and <code>privilege=admin</code>.</td></tr>
 <tr><td>POST</td><td>/privileges/remove</td> <td>Used to remove the admin privilege from a mail user. Required POST-body parameter is <code>email</code>.</td></tr>
+<tr>
+    <td>GET</td>
+    <td>/quota</td>
+    <td>Get the quota for a mail user. Required POST-body parameters are <code>email</code> and will return JSON result</td>
+</tr>
+<tr>
+    <td>POST</td>
+    <td>/quota</td>
+    <td>Set the quota for a mail user. Required POST-body parameters are <code>email</code> and <code>quota</code>.</td>
+</tr>
 </table>
 
 <h4>Examples:</h4>
@@ -144,7 +180,7 @@ function show_users() {
     function(r) {
       $('#user_table tbody').html("");
       for (var i = 0; i < r.length; i++) {
-        var hdr = $("<tr><th colspan='2' style='background-color: #EEE'></th></tr>");
+        var hdr = $("<tr><th colspan='6' style='background-color: #EEE'></th></tr>");
         hdr.find('th').text(r[i].domain);
         $('#user_table tbody').append(hdr);
 
@@ -162,7 +198,14 @@ function show_users() {
           n2.addClass("account_" + user.status);
 
           n.attr('data-email', user.email);
+          n.attr('data-quota', user.quota);
           n.find('.address').text(user.email);
+          n.find('.box-size').text(user.box_size);
+          if (user.box_size == '?') {
+            n.find('.box-size').attr('title', 'Mailbox size is unkown')
+          }
+          n.find('.percent').text(user.percent);
+          n.find('.quota').text((user.quota == '0') ? 'unlimited' : user.quota);
           if (user.status == "inactive") {
             n.find('.display_name_wrapper').text('[archived]');
           }
@@ -197,6 +240,7 @@ function do_add_user() {
   var email = $("#adduserEmail").val();
   var pw = $("#adduserPassword").val();
   var privs = $("#adduserPrivs").val();
+  var quota = $("#adduserQuota").val();
   var display_name = $("#adduserDisplayName").val();
   api(
     "/mail/users/add",
@@ -205,6 +249,7 @@ function do_add_user() {
       email: email,
       password: pw,
       privileges: privs,
+      quota: quota
       display_name: display_name
     },
     function(r) {
@@ -272,6 +317,36 @@ function users_set_displayname(elem) {
       });
 }
 
+function users_set_quota(elem) {
+    var email = $(elem).parents('tr').attr('data-email');
+    var quota = $(elem).parents('tr').attr('data-quota');
+
+    show_modal_confirm(
+        "Set Quota",
+        $("<p>Set quota for <b>" + email + "</b>?</p>" +
+            "<p>" +
+            "<label for='users_set_quota' style='display: block; font-weight: normal'>Quota:</label>" +
+            "<input type='text' id='users_set_quota' value='" + quota + "'></p>" +
+            "<p><small>Quotas may not contain any spaces or commas.  Suffixes of G (gigabytes) and M (megabytes) are allowed.</small></p>" +
+            "<p><small>For unlimited storage enter 0 (zero)</small></p>"),
+        "Set Quota",
+        function() {
+            api(
+                "/mail/users/quota",
+                "POST",
+                {
+                    email: email,
+                    quota: $('#users_set_quota').val()
+                },
+                function(r) {
+                    show_users();
+                },
+                function(r) {
+                    show_modal_error("Set Quota", r);
+                });
+        });
+}
+
 function users_remove(elem) {
   var email = $(elem).parents('tr').attr('data-email');
 
@@ -337,7 +412,7 @@ function generate_random_password() {
   var charset = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789"; // confusable characters skipped
   for (var i = 0; i < 12; i++)
     pw += charset.charAt(Math.floor(Math.random() * charset.length));
-  show_modal_error("Random Password", "<p>Here, try this:</p> <p><code style='font-size: 110%'>" + pw + "</code></pr");
+  show_modal_error("Random Password", "<p>Here, try this:</p> <p><code style='font-size: 110%'>" + pw + "</code></p>");
   return false; // cancel click
 }
 </script>
diff --git a/setup/bootstrap.sh b/setup/bootstrap.sh
index 4f8c9fa3..1d4eacff 100644
--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -133,7 +133,7 @@ fi
 if [ -z "${ENCRYPTION_AT_REST:-}" ]; then
     source ehdd/ehdd_funcs.sh || exit 1
     hdd_exists && ENCRYPTION_AT_REST=true
-elif [ "${ENCRYPTION_AT_REST:-}" = "false" ]; then 
+elif [ "${ENCRYPTION_AT_REST:-}" = "false" ]; then
     source ehdd/ehdd_funcs.sh || exit 1
     if hdd_exists; then
         echo "Encryption-at-rest must be disabled manually"
@@ -147,4 +147,3 @@ if [ "${ENCRYPTION_AT_REST:-false}" = "true" ]; then
 else
     setup/start.sh </dev/tty
 fi
-
diff --git a/setup/ldap.sh b/setup/ldap.sh
index 379ef55a..93d30ce9 100755
--- a/setup/ldap.sh
+++ b/setup/ldap.sh
@@ -99,7 +99,7 @@ create_miab_conf() {
 		_add_if_missing "${prefix}_DN" "cn=$cn,$LDAP_SERVICES_BASE"
 		_add_if_missing "${prefix}_PASSWORD" "$(generate_password 64)"
 	done
-	
+
 	chmod 0640 "$MIAB_INTERNAL_CONF_FILE"
 	. "$MIAB_INTERNAL_CONF_FILE"
 }
@@ -126,7 +126,7 @@ create_service_accounts() {
 	# create service accounts. service accounts have special access
 	# rights, generally read-only to users, aliases, and configuration
 	# subtrees (see apply_access_control)
-	
+
 	local prefix dn pass
 	for prefix in ${SERVICE_ACCOUNTS[*]}
 	do
@@ -147,7 +147,7 @@ userPassword: $(slappasswd_hash "$pass")
 EOF
 		fi
 	done
-	
+
 }
 
 
@@ -155,7 +155,7 @@ install_system_packages() {
 	# install required deb packages, generate admin credentials
 	# and apply them to the installation
 	create_miab_conf
-	
+
 	# Set installation defaults to avoid interactive dialogs. See
 	# /var/lib/dpkg/info/slapd.templates for a list of what can be set
 	debconf-set-selections <<EOF
@@ -164,10 +164,10 @@ slapd slapd/domain string ${LDAP_DOMAIN}
 slapd slapd/password1 password ${LDAP_ADMIN_PASSWORD}
 slapd slapd/password2 password ${LDAP_ADMIN_PASSWORD}
 EOF
-	
+
 	# Install packages
 	say "Installing OpenLDAP server..."
-	
+
 	# we must install slapd without DEBIAN_FRONTEND=noninteractive or
 	# debconf selections are ignored
 	hide_output apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" install slapd
@@ -227,7 +227,7 @@ EOF
 		say "  is set to: $ATTR_VALUE"
 		say "  expected : $LDAP_ADMIN_DN"
 		die
-	fi		
+	fi
 }
 
 relocate_slapd_data() {
@@ -277,11 +277,11 @@ relocate_slapd_data() {
 	say_verbose "		DB='${DB_DIR}'"
 	say_verbose "	to:"
 	say_verbose "	   CONF=${MIAB_SLAPD_CONF}"
-	say_verbose "		 DB=${MIAB_SLAPD_DB_DIR}"	
+	say_verbose "		 DB=${MIAB_SLAPD_DB_DIR}"
 	say_verbose ""
 	say_verbose "Stopping slapd"
 	systemctl stop slapd || die "Could not stop slapd"
-	
+
 	# Modify the path to dc=mailinabox's database directory
 	say_verbose "Dump config database"
 	local TMP="/tmp/miab_relocate_ldap.ldif"
@@ -320,7 +320,7 @@ schema_to_ldif() {
 			cat="curl -s"
 		fi
 	fi
-	
+
 	cat >"$ldif" <<EOF
 dn: cn=$cn,cn=schema,cn=config
 objectClass: olcSchemaConfig
@@ -358,7 +358,7 @@ EOF
 
 
 add_schemas() {
-	# Add necessary schema's for MiaB operaion		 
+	# Add necessary schema's for MiaB operaion
 	#
 	# Note: the postfix schema originally came from the ldapadmin
 	# project (GPL)(*), but has been modified to support the needs of
@@ -385,7 +385,7 @@ add_schemas() {
 			ldapadd -Q -Y EXTERNAL -H ldapi:/// -f "$ldif" >/dev/null
 			rm -f "$ldif"
 		fi
-	done	
+	done
 }
 
 
@@ -481,7 +481,7 @@ EOF
 add_overlays() {
 	# Apply slapd overlays - apply the commonly used member-of overlay
 	# now because adding it later is harder.
-	
+
 	# Get the config dn for the database
 	get_attribute "cn=config" "olcSuffix=${LDAP_BASE}" "dn"
 	[ -z "$ATTR_DN" ] &&
@@ -498,7 +498,7 @@ add: olcModuleLoad
 olcModuleLoad: memberof.la
 EOF
 	fi
-	
+
 	get_attribute "$cdn" "(olcOverlay=memberof)" "olcOverlay"
 	if [ -z "$ATTR_DN" ]; then
 		say_verbose "Adding memberof overlay to $LDAP_BASE"
@@ -516,7 +516,7 @@ EOF
 
 add_indexes() {
 	# Index mail-related attributes
-	
+
 	# Get the config dn for the database
 	get_attribute "cn=config" "olcSuffix=${LDAP_BASE}" "dn"
 	[ -z "$ATTR_DN" ] &&
@@ -678,7 +678,7 @@ EOF
 #
 process_cmdline() {
 	[ -e "$MIAB_INTERNAL_CONF_FILE" ] && . "$MIAB_INTERNAL_CONF_FILE"
-	
+
 	if [ "$1" == "-d" ]; then
 		# Start slapd in interactive/debug mode
 		echo "!! SERVER DEBUG MODE !!"
@@ -688,7 +688,7 @@ process_cmdline() {
 		echo "Listening on $SLAPD_SERVICES..."
 		/usr/sbin/slapd -h "$SLAPD_SERVICES" -g openldap -u openldap -F $MIAB_SLAPD_CONF -d ${2:-1}
 		exit 0
-		
+
 	elif [ "$1" == "-config" ]; then
 		# Apply a certain configuration
 		if [ "$2" == "server" ]; then
@@ -734,7 +734,7 @@ process_cmdline() {
 		local hide_attrs="(structuralObjectClass|entryUUID|creatorsName|createTimestamp|entryCSN|modifiersName|modifyTimestamp)"
 		local slapcat_args=(-F "$MIAB_SLAPD_CONF" -o ldif-wrap=no)
 		[ ${verbose:-0} -gt 0 ] && hide_attrs="(_____NEVERMATCHES)"
-		
+
 		if [ "$s" == "all" ]; then
 			echo ""
 			echo '--------------------------------'
@@ -777,7 +777,7 @@ process_cmdline() {
 		if [ "$s" == "permitted-senders" -o "$s" == "ps" ]; then
 			echo ""
 			echo '--------------------------------'
-			local attrs=(mail member mailRoutingAddress rfc822MailMember)
+			local attrs=(mail member mailRoutingAddress mailMember)
 			[ ${verbose:-0} -gt 0 ] && attrs=()
 			debug_search "(objectClass=mailGroup)" "$LDAP_PERMITTED_SENDERS_BASE" ${attrs[@]}
 		fi
@@ -814,7 +814,7 @@ process_cmdline() {
 		rm -f "/etc/default/slapd"
 		echo "Done"
 		exit 0
-		
+
 	elif [ ! -z "$1" ]; then
 		echo "Invalid command line argument '$1'"
 		exit 1
diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh
index 0af6a1de..cd8b800d 100755
--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -76,6 +76,32 @@ tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
 
 # Create, subscribe, and mark as special folders: INBOX, Drafts, Sent, Trash, Spam and Archive.
 cp conf/dovecot-mailboxes.conf /etc/dovecot/conf.d/15-mailboxes.conf
+sed -i "s/#mail_plugins =\(.*\)/mail_plugins =\1 \$mail_plugins quota/" /etc/dovecot/conf.d/10-mail.conf
+if ! grep -q "mail_plugins.* imap_quota" /etc/dovecot/conf.d/20-imap.conf; then
+  sed -i "s/\(mail_plugins =.*\)/\1\n  mail_plugins = \$mail_plugins imap_quota/" /etc/dovecot/conf.d/20-imap.conf
+fi
+
+# configure stuff for quota support
+if ! grep -q "quota_status_success = DUNNO" /etc/dovecot/conf.d/90-quota.conf; then
+    cat > /etc/dovecot/conf.d/90-quota.conf << EOF;
+plugin {
+  quota = maildir
+
+  quota_grace = 10%
+
+  quota_status_success = DUNNO
+  quota_status_nouser = DUNNO
+  quota_status_overquota = "522 5.2.2 Mailbox is full"
+}
+
+service quota-status {
+    executable = quota-status -p postfix
+    inet_listener {
+        port = 12340
+    }
+}
+EOF
+fi
 
 # ### IMAP/POP
 
diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index 9c963a45..45631ce5 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -259,7 +259,7 @@ tools/editconf.py /etc/postfix/main.cf  -e lmtp_destination_recipient_limit=
 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
 tools/editconf.py /etc/postfix/main.cf \
 	smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99]" \
-	smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],reject_unlisted_recipient,check_policy_service unix:private/policy-spf,check_policy_service inet:127.0.0.1:10023"
+	smtpd_recipient_restrictions="permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],reject_unlisted_recipient,check_policy_service unix:private/policy-spf,check_policy_service inet:127.0.0.1:10023,check_policy_service inet:127.0.0.1:12340"
 
 # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
 # Postgrey listens on the same interface (and not IPv6, for instance).
diff --git a/setup/mail-users.sh b/setup/mail-users.sh
index b9a76635..c6cf9b8c 100755
--- a/setup/mail-users.sh
+++ b/setup/mail-users.sh
@@ -89,7 +89,7 @@ pass_attrs = maildrop=user
 #   lmtp delivery, pass_filter is not used, and postfix has already
 #   rewritten the envelope using the maildrop address.
 user_filter = (&(objectClass=mailUser)(|(mail=%u)(maildrop=%u)))
-user_attrs = maildrop=user
+user_attrs = maildrop=user mailboxQuota=quota_rule=*:bytes=%\$
 
 # Account iteration for various dovecot tools (doveadm)
 iterate_filter = (objectClass=mailUser)
@@ -269,3 +269,6 @@ chmod 0640 /etc/postfix/virtual-alias-maps.cf
 
 restart_service postfix
 restart_service dovecot
+
+# force a recalculation of all user quotas
+doveadm quota recalc -A
diff --git a/setup/migrate.py b/setup/migrate.py
index 61a9857a..b1ce972e 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -200,6 +200,12 @@ def migration_14(env):
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
 	shell("check_call", ["sqlite3", db, "CREATE TABLE auto_aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);"])
 
+def migration_15(env):
+	# Add a column to the users table to store their quota limit.  Default to '0' for unlimited.
+	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
+	shell("check_call", ["sqlite3", db, "ALTER TABLE users ADD COLUMN quota TEXT NOT NULL DEFAULT '0';"])
+
+
 ###########################################################
 
 
@@ -306,7 +312,7 @@ def migration_miabldap_2(env):
 			return ldif.replace("rfc822MailMember: ", "mailMember: ")
 		# apply schema changes miabldap/1 -> miabldap/2
 		ldap.unbind()
-		print("Apply schema changes")
+		print("Apply schema changes to support utf8 email addresses")
 		m14.apply_schema_changes(env, ldapvars, ldif_change_fn)
 		# reconnect
 		ldap = connect(ldapvars)
@@ -329,6 +335,52 @@ def migration_miabldap_2(env):
 
 	ldap.unbind()
 
+def migration_miabldap_3(env):
+	# This migration step changes the ldap schema to support quotas
+	#
+	# possible states at this point:
+	#   miabldap was installed and is being upgraded
+	#      -> schema update needed
+	#   a miab install was present and step 1 upgaded it to miabldap
+	#      -> new schema already present
+	#
+	sys.path.append(os.path.realpath(os.path.join(os.path.dirname(__file__), "../management")))
+	import ldap3
+	from backend import connect
+	import migration_14 as m14
+
+	# 1. get ldap site details
+	ldapvars = load_env_vars_from_file(os.path.join(env["STORAGE_ROOT"], "ldap/miab_ldap.conf"), strip_quotes=True)
+
+	# connect before schema changes to ensure admin password works
+	ldap = connect(ldapvars)
+
+	# 2. if this is a miab -> maibldap install, the new schema is
+	# already in place and no schema changes are needed. however,
+	# if this is a miabldap/1 to miabldap/2 migration, we must
+	# upgrade the schema.
+	ret = shell("check_output", [
+		"ldapsearch",
+		"-Q",
+		"-Y", "EXTERNAL",
+		"-H", "ldapi:///",
+		"(&(objectClass=olcSchemaConfig)(cn={*}postfix))",
+		"-b", "cn=schema,cn=config",
+		"-o", "ldif_wrap=no",
+		"-LLL",
+		"olcObjectClasses"
+	])
+
+	ldap.unbind()
+
+	if "mailboxQuota" not in ret:
+		def ldif_change_fn(ldif):
+			# the schema change we're making does not require any data changes
+			return ldif
+		# apply schema changes miabldap/2 -> miabldap/3
+		print("Apply schema changes to support mailbox quotas")
+		m14.apply_schema_changes(env, ldapvars, ldif_change_fn)
+
 
 def get_current_migration():
 	ver = 0
diff --git a/setup/migration_13.py b/setup/migration_13.py
index d1a49436..e2a771d7 100644
--- a/setup/migration_13.py
+++ b/setup/migration_13.py
@@ -17,7 +17,7 @@
 import uuid, os, sqlite3, ldap3, hashlib
 
 
-def add_user(env, ldapconn, search_base, users_base, domains_base, email, password, privs, totp, cn=None):
+def add_user(env, ldapconn, search_base, users_base, domains_base, email, password, privs, quota, totp, cn=None):
 	# Add a sqlite user to ldap
 	#   env are the environment variables
 	#   ldapconn is the bound ldap connection
@@ -27,6 +27,7 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 	#   email is the user's email
 	#   password is the user's current sqlite password hash
 	#   privs is an array of privilege names for the user
+	#   quota is the users mailbox quota (string; defaults to '0')
 	#   totp contains the list of secrets, mru tokens, and labels
 	#   cn is the user's common name [optional]
 	#
@@ -45,13 +46,14 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 	m = hashlib.sha1()
 	m.update(bytearray(email.lower(),'utf-8'))
 	uid = m.hexdigest()
-	
+
 	# Attributes to apply to the new ldap entry
 	objectClasses = [ 'inetOrgPerson','mailUser','shadowAccount' ]
 	attrs = {
 		"mail" : email,
 		"maildrop" : email,
 		"uid" : uid,
+		"mailboxQuota": quota,
 		# Openldap uses prefix {CRYPT} for all crypt(3) formats
 		"userPassword" : password.replace('{SHA512-CRYPT}','{CRYPT}')
 	}
@@ -91,10 +93,10 @@ def add_user(env, ldapconn, search_base, users_base, domains_base, email, passwo
 		attrs['totpMruToken'] = totp["mru_token"]
 		attrs['totpMruTokenTime'] = totp["mru_token_time"]
 		attrs['totpLabel'] = totp["label"]
-	
+
 	# Add user
 	dn = "uid=%s,%s" % (uid, users_base)
-	
+
 	print("adding user %s" % email)
 	ldapconn.add(dn, objectClasses, attrs)
 
@@ -116,14 +118,15 @@ def create_users(env, conn, ldapconn, ldap_base, ldap_users_base, ldap_domains_b
 
 	# select users
 	c = conn.cursor()
-	c.execute("SELECT id, email, password, privileges from users")
+	c.execute("SELECT id, email, password, privileges, quota from users")
 
 	users = {}
 	for row in c:
 		user_id=row[0]
 		email=row[1]
 		password=row[2]
-		privs=row[3]	
+		privs=row[3]
+		quota=row[4]
 		totp = None
 
 		c2 = conn.cursor()
@@ -143,7 +146,7 @@ def create_users(env, conn, ldapconn, ldap_base, ldap_users_base, ldap_domains_b
 			totp["label"].append("{%s}%s" % (rowidx, row2[2] or ''))
 			rowidx += 1
 
-		dn = add_user(env, ldapconn, ldap_base, ldap_users_base, ldap_domains_base, email, password, privs.split("\n"), totp)
+		dn = add_user(env, ldapconn, ldap_base, ldap_users_base, ldap_domains_base, email, password, privs.split("\n"), quota, totp)
 		users[email] = dn
 	return users
 
@@ -164,7 +167,7 @@ def create_aliases(env, conn, ldapconn, aliases_base):
 			cn="%s" % uuid.uuid4()
 			dn="cn=%s,%s" % (cn, aliases_base)
 			description="Mail group %s" % alias
-			
+
 			if alias.startswith("postmaster@") or \
 			   alias.startswith("hostmaster@") or \
 			   alias.startswith("abuse@") or \
@@ -172,7 +175,7 @@ def create_aliases(env, conn, ldapconn, aliases_base):
 			   alias == "administrator@" + env['PRIMARY_HOSTNAME']:
 				description = "Required alias"
 
-			print("adding alias %s" % alias)			
+			print("adding alias %s" % alias)
 			ldapconn.add(dn, ['mailGroup'], {
 				"mail": alias,
 				"description": description
@@ -196,7 +199,7 @@ def populate_aliases(conn, ldapconn, users_map, aliases_map):
 		alias_dn=aliases_map[alias]
 		members = []
 		mailMembers = []
-		
+
 		for email in row[1].split(','):
 			email=email.strip()
 			if email=="":
@@ -207,13 +210,13 @@ def populate_aliases(conn, ldapconn, users_map, aliases_map):
 				members.append(aliases_map[email])
 			else:
 				mailMembers.append(email)
-		
+
 		print("populate alias group %s" % alias)
 		changes = {}
 		if len(members)>0:
 			changes["member"]=[(ldap3.MODIFY_REPLACE, members)]
 		if len(mailMembers)>0:
-			changes["rfc822MailMember"]=[(ldap3.MODIFY_REPLACE, mailMembers)]			
+			changes["rfc822MailMember"]=[(ldap3.MODIFY_REPLACE, mailMembers)]
 		ldapconn.modify(alias_dn, changes)
 
 
diff --git a/setup/webmail.sh b/setup/webmail.sh
index 27097d70..3e0f2456 100644
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -214,6 +214,7 @@ cat > $RCM_CONFIG <<EOF;
 
 /* prevent CSRF, requires php 7.3+ */
 \$config['session_samesite'] = 'Strict';
+\$config['quota_zero_as_unlimited'] = true;
 ?>
 EOF