diff --git a/bin/vmail-dovecot-disable.sh b/bin/vmail-dovecot-disable.sh
new file mode 100755
index 0000000..e42b276
--- /dev/null
+++ b/bin/vmail-dovecot-disable.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# vmail-stack
+# https://git.stack-source.com/msb/vmail-stack
+# Copyright (c) 2023 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# load include file
+source $(dirname $0)/vmail.sh
+
+help()
+{
+  thisfilename=$(basename -- "$0")
+  echo "$thisfilename"
+  echo "Disable dovecot for given domain"
+  echo ""
+  echo "usage: $thisfilename -d <domain> [-h]"
+  echo ""
+  echo "  -h          Print this help."
+  echo "  -d <domain> Domain to disable dovecot for."
+}
+
+vmail:getoptions "$@"
+
+# check for domain
+if [[ -z $domain ]]; then
+  echo "ERROR: domain name is required"
+  exit 1
+fi
+
+# disable dovecot for domain
+if [ -f "/etc/dovecot/sites.d/mail.$domain.conf" ]; then
+  rm /etc/dovecot/sites.d/mail.$domain.conf
+  /usr/bin/systemctl --quiet is-active dovecot && systemctl --quiet reload dovecot
+fi
diff --git a/bin/vmail-dovecot-enable.sh b/bin/vmail-dovecot-enable.sh
new file mode 100755
index 0000000..9189fab
--- /dev/null
+++ b/bin/vmail-dovecot-enable.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+# vmail-stack
+# https://git.stack-source.com/msb/vmail-stack
+# Copyright (c) 2023 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# load include file
+source $(dirname $0)/vmail.sh
+
+help()
+{
+  thisfilename=$(basename -- "$0")
+  echo "$thisfilename"
+  echo "Enable SSL (TLS) in dovecot (POP/IMAP) for given domain"
+  echo ""
+  echo "usage: $thisfilename -d <domain> [-h]"
+  echo ""
+  echo "  -h          Print this help."
+  echo "  -d <domain> Domain to enable dovecot for."
+  echo ""
+  echo "              Let's Encrypt certificate must already exist. If need be run this first:"
+  echo "              letsencrypt-certonly.sh -d mail.<domain>"
+}
+
+vmail:getoptions "$@"
+
+# check for domain
+if [[ -z $domain ]]; then
+  echo "ERROR: domain name is required"
+  exit 1
+fi
+
+# check that letsencrypt cert exists
+if [ ! -f /etc/ssl/letsencrypt/mail.$domain.pem ]; then
+  echo "Let's Encrypt cert for mail.$domain does not exist, create that first:"
+  exit 1
+fi
+
+# create dovecot config & restart
+if [ ! -f "/etc/dovecot/sites.d/mail.$domain.conf" ]; then
+  echo "local_name mail.pawderosa.com {" > /etc/dovecot/sites.d/mail.$domain.conf
+  echo "  ssl_cert = </etc/ssl/letsencrypt/mail.pawderosa.com.pem" >> /etc/dovecot/sites.d/mail.$domain.conf
+  echo "  ssl_key = </etc/ssl/letsencrypt/mail.pawderosa.com.pem" >> /etc/dovecot/sites.d/mail.$domain.conf
+  echo "}" >> /etc/dovecot/sites.d/mail.$domain.conf
+  /usr/bin/systemctl --quiet is-active dovecot && systemctl --quiet reload dovecot
+fi