diff --git a/bundles/dovecot/files/dovecot-sql.conf b/bundles/dovecot/files/dovecot-sql.conf
index 62671c6..fd088e3 100644
--- a/bundles/dovecot/files/dovecot-sql.conf
+++ b/bundles/dovecot/files/dovecot-sql.conf
@@ -1,6 +1,6 @@
 connect = host=${host} dbname=${name} user=${user} password=${password}
 driver = pgsql
-default_pass_scheme = SHA512-CRYPT
+default_pass_scheme = ARGON2ID
 
 password_query = SELECT CONCAT(users.name, '@', domains.name) AS user, password\
   FROM users \
diff --git a/bundles/dovecot/files/sudors b/bundles/dovecot/files/sudors
new file mode 100644
index 0000000..e48cf33
--- /dev/null
+++ b/bundles/dovecot/files/sudors
@@ -0,0 +1 @@
+www-data ALL=(ALL) NOPASSWD: /usr/bin/doveadm pw -s ARGON2ID
diff --git a/bundles/roundcube/files/password.config.inc.php b/bundles/roundcube/files/password.config.inc.php
index 99b1ffc..9432a6d 100644
--- a/bundles/roundcube/files/password.config.inc.php
+++ b/bundles/roundcube/files/password.config.inc.php
@@ -9,7 +9,9 @@ $config['password_log'] = true;
 $config['password_hosts'] = null;
 $config['password_force_save'] = false;
 $config['password_force_new_user'] = false;
-$config['password_algorithm'] = 'sha512-crypt';
-$config['password_algorithm_prefix'] = '{SHA512-CRYPT}';
+$config['password_algorithm'] = 'dovecot';
+$config['password_dovecotpw'] = '/usr/bin/sudo /usr/bin/doveadm pw';
+$config['password_dovecotpw_method'] = 'ARGON2ID';
+$config['password_dovecotpw_with_method'] = true;
 $config['password_db_dsn'] = 'pgsql://mailserver:${mailserver_db_password}@localhost/mailserver';
-$config['password_query'] = "UPDATE users SET password=%P FROM domains WHERE domains.id = domain_id AND domains.name = %d AND users.name = %l";
+$config['password_query'] = "UPDATE users SET password=%D FROM domains WHERE domains.id = domain_id AND domains.name = %d AND users.name = %l";
diff --git a/bundles/roundcube/metadata.py b/bundles/roundcube/metadata.py
index 3014194..f6b8579 100644
--- a/bundles/roundcube/metadata.py
+++ b/bundles/roundcube/metadata.py
@@ -51,6 +51,9 @@ defaults = {
             },
         },
     },
+    'sudoers': {
+        'www-data': ['/usr/bin/doveadm pw -s ARGON2ID'],
+    },
 }
 
 @metadata_reactor.provides(
diff --git a/bundles/sudo/items.py b/bundles/sudo/items.py
new file mode 100644
index 0000000..4f410d9
--- /dev/null
+++ b/bundles/sudo/items.py
@@ -0,0 +1,11 @@
+directories = {
+    '/etc/sudoers.d': {
+        'purge': True,
+    },
+}
+
+for user, commands in node.metadata.get('sudoers').items():
+    files[f'/etc/sudoers.d/{user}'] = {
+        'content': f"{user} ALL=(ALL) NOPASSWD: {', '.join(commands)}",
+        'mode': '500',
+    }
diff --git a/bundles/sudo/metadata.py b/bundles/sudo/metadata.py
new file mode 100644
index 0000000..61dfabf
--- /dev/null
+++ b/bundles/sudo/metadata.py
@@ -0,0 +1,10 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'sudo': {},
+        },
+    },
+    'sudoers': {
+        'root': ['ALL'],
+    },
+}
diff --git a/groups/all.py b/groups/all.py
index 294c47c..14ad117 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -1,5 +1,6 @@
 {
     'bundles': [
+        'sudo',
         'users',
         'zsh',
     ],