diff --git a/.gitignore b/.gitignore
index 678f78a..d9390d9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .*.swp
 data
 *.secrets
+env.smtp
diff --git a/env.smtp.template b/env.smtp.template
new file mode 100644
index 0000000..3249be8
--- /dev/null
+++ b/env.smtp.template
@@ -0,0 +1,10 @@
+#
+# To enable sending emails, please make an account at sendgrind (free should be fine)
+# and copy the API key into the SMTP password.  If you don't do this first, you'll
+# have to setup it later, which will involve some manual effort to configure each
+# sub-site.
+#
+SMTP_SERVER=smtp.sendgrid.net
+SMTP_PORT=587
+SMTP_USER=apikey
+SMTP_PASSWORD=LONG-STRING-GOES-HERE
diff --git a/keycloak/setup b/keycloak/setup
index 9aecfcc..15792c4 100755
--- a/keycloak/setup
+++ b/keycloak/setup
@@ -1,11 +1,12 @@
 #!/bin/bash
-die() { echo >&2 "ERROR: $@" ; exit 1 ; }
-info() { echo >&2 "$@" ; }
+die() { echo >&2 "keycloak: ERROR: $@" ; exit 1 ; }
+info() { echo >&2 "keycloak: $@" ; }
 
 DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 source ../env.production
 source ./env.production
+source "../env.smtp" 2>/dev/null
 
 SECRETS="../data/keycloak/env.secrets"
 
@@ -82,6 +83,28 @@ docker-compose exec -T keycloak \
 }
 EOF
 
+if [ -n "$SMTP_SERVER" ]; then
+	info "configuring email"
+	docker-compose exec -T keycloak \
+	  /opt/keycloak/bin/kcadm.sh update "realms/$REALM" \
+	-f - <<EOF || die "unable to configure email"
+{
+  "resetPasswordAllowed": "true",
+  "smtpServer" : {
+    "auth" : "true",
+    "starttls" : "true",
+    "user" : "$SMTP_USER",
+    "password" : "$SMTP_PASSWORD",
+    "port" : "$SMTP_PORT",
+    "host" : "$SMTP_SERVER",
+    "from" : "keycloak@$DOMAIN_NAME",
+    "fromDisplayName" : "Keycloak @ $DOMAIN_NAME",
+    "ssl" : "false"
+  }
+}
+EOF
+fi
+
 
 info "Create an admin user in realm"
 docker-compose exec -T keycloak \
diff --git a/mastodon/env.production b/mastodon/env.production
index e420cd0..e99b24b 100644
--- a/mastodon/env.production
+++ b/mastodon/env.production
@@ -57,11 +57,7 @@ ES_PASS=password
 
 # Sending mail
 # ------------
-SMTP_SERVER=smtp.mailgun.org
-SMTP_PORT=587
-SMTP_LOGIN=
-SMTP_PASSWORD=
-SMTP_FROM_ADDRESS=notifications@example.com
+# configured in env.secrets
 
 # File storage (optional)
 # -----------------------
diff --git a/mastodon/setup b/mastodon/setup
index 65d5ee5..9c535a7 100755
--- a/mastodon/setup
+++ b/mastodon/setup
@@ -6,6 +6,7 @@ DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 source ../env.production
 source ./env.production
+source "../env.smtp" 2>/dev/null
 
 mkdir -p ../data/mastodon/system
 chmod 777 ../data/mastodon/system
@@ -37,6 +38,16 @@ SECRET_KEY_BASE=$(openssl rand -hex 32)
 OTP_SECRET=$(openssl rand -hex 32)
 EOF
 
+if [ -n "$SMTP_SERVER" ]; then
+	cat <<EOF >> "$SECRETS"
+SMTP_SERVER=$SMTP_SERVER
+SMTP_PORT=$SMTP_PORT
+SMTP_LOGIN=$SMTP_USER
+SMTP_PASSWORD=$SMTP_PASSWORD
+SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
+EOF
+fi
+
 info "mastodon: creating push keys"
 docker-compose run --rm mastodon \
 	rails mastodon:webpush:generate_vapid_key \
diff --git a/matrix/setup b/matrix/setup
index 5aee89c..4e6dc0e 100755
--- a/matrix/setup
+++ b/matrix/setup
@@ -1,9 +1,11 @@
 #!/bin/bash
-die() { echo >&2 "$@" ; exit 1 ; }
+die() { echo >&2 "matrix: ERROR $@" ; exit 1 ; }
+info() { echo >&2 "matrix: $@" ; }
 
 DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
+source ../env.smtp 2>/dev/null 
 source env.production || die "no local env?"
 
 DATA="../data/matrix"
@@ -53,6 +55,21 @@ oidc_providers:
         display_name_template: "{{ user.name }}"
 EOF
 
+if [ -n "$SMTP_SERVER" ]; then
+	info "configuring email"
+	cat <<EOF >> "$HOMESERVER_YAML"
+email:
+  smtp_host: ${SMTP_SERVER}
+  smtp_port: ${SMTP_PORT}
+  smtp_user: "${SMTP_USER}"
+  smtp_pass: "${SMTP_PASSWORD}"
+  require_transport_security: true
+  notif_from: "%(app)s matrix homeserver <noreply@${DOMAIN_NAME}>"
+  app_name: ${DOMAIN_NAME}
+EOF
+fi
+
+
 ../keycloak/client-delete 'synapse' 2>/dev/null
 
 ../keycloak/client-create << EOF || die "unable to create client id"
@@ -67,4 +84,5 @@ EOF
 }
 EOF
 
+
 docker-compose up -d || die "matrix: unable to start container"
diff --git a/mobilizon/setup b/mobilizon/setup
index 3a35780..b3d49dc 100755
--- a/mobilizon/setup
+++ b/mobilizon/setup
@@ -5,6 +5,7 @@ DIRNAME="$(dirname $0)"
 cd "$DIRNAME"
 source ../env.production || die "no top level env?"
 source env.production || die "no local env?"
+source ../env.smtp 2>/dev/null
 
 DATA="../data/mobilizon"
 SECRETS="$DATA/env.secrets"
@@ -31,6 +32,17 @@ MOBILIZON_INSTANCE_SECRET_KEY=$(openssl rand -hex 20)
 MOBILIZON_CLIENT_SECRET=${CLIENT_SECRET}
 EOF
 
+if [ -n "$SMTP_SERVER" ]; then
+	cat <<EOF >> "$SECRETS"
+MOBILIZON_INSTANCE_EMAIL=events@${DOMAIN_NAME}
+MOBILIZON_REPLY_EMAIL=noreply@${DOMAIN_NAME}
+MOBILIZON_SMTP_SERVER=${SMTP_SERVER}
+MOBILIZON_SMTP_PORT=${SMTP_PORT}
+MOBILIZON_SMTP_USERNAME=${SMTP_USER}
+MOBILIZON_SMTP_PASSWORD=${SMTP_PASSWORD}
+EOF
+fi
+
 ../keycloak/client-delete mobilizon
 
 ../keycloak/client-create <<EOF || die "unable to create client"