diff --git a/app.conf.sample b/app.conf.sample
index 4e090ec..253182f 100644
--- a/app.conf.sample
+++ b/app.conf.sample
@@ -13,3 +13,4 @@ miab_admin=miabadmin@domain.tld
 miab_passwd=miabadminpassword
 miab_url=https://miaburl.domain.tld/admin
 
+max_aliases=5
diff --git a/app.py b/app.py
index 6e72def..85a02a7 100644
--- a/app.py
+++ b/app.py
@@ -53,6 +53,11 @@ if config['DEFAULT']['cookie_name']:
 else:
     cookie_name = "accounts"
 
+if config['DEFAULT']['max_aliases']:
+    max_aliases = int(config['DEFAULT']['max_aliases'])
+else:
+    max_aliases=5
+
 
 # functions
 
@@ -94,9 +99,47 @@ def get_aliases(username):
         i+=1
     return aliases
 
+# get all addresses available on miab
+def get_addresses():
+    addresses = []
+    # get alias data
+    a = requests.get(miab_url + "/mail/aliases?format=json", auth=(miab_admin, miab_passwd))
+    aliases = a.json()
+    i=0
+    while i < len(aliases):
+        j=0
+        while j < len(aliases[i]['aliases']):
+            addresses.append(aliases[i]['aliases'][j]['address'])
+            j+=1
+        i+=1
+
+    # get user data
+    u = requests.get(miab_url + "/mail/users?format=json", auth=(miab_admin, miab_passwd))
+    users = u.json()
+    i=0
+    while i < len(users):
+        j=0
+        while j < len(users[i]['users']):
+            addresses.append(users[i]['users'][j]['email'])
+            j+=1
+        i+=1
+    return addresses
+
+# get all valid domains from miab
+def get_domains():
+    domains = []
+    u = requests.get(miab_url + "/mail/users?format=json", auth=(miab_admin, miab_passwd))
+    users = u.json()
+    i=0
+    while i < len(users):
+        domains.append(users[i]['domain'])
+        i+=1
+    return domains
+
 
 # routing
 
+# render main page
 @get('/')
 def home():
     username = logged_in()
@@ -104,7 +147,7 @@ def home():
     if username:
         aliases = get_aliases(username)
         # render homepage
-        return template('default', username=username, app_name=app_name, message=message, aliases=aliases)
+        return template('default', username=username, app_name=app_name, message=message, aliases=aliases, max_aliases=max_aliases)
     else:
         # render login
         message = request.get_cookie(cookie_name + "_message", secret=cookie_secret)
@@ -166,25 +209,68 @@ def post_password():
     else:
         redirect('/')
 
+# create an email alias
+@post('/alias/add')
+def add_alias():
+    username = logged_in()
+    if username:
+        add = request.forms.get('add')
+        aliases = get_aliases(username)
+        #it must be below max_aliases
+        if len(aliases) < max_aliases:
+            #it must be in domains
+            domains = get_domains()
+            addresses = get_addresses()
+            for domain in domains:
+                if domain == add[(add.find("@")+1):]:
+                    #it must not be in addresses
+                    for address in addresses:
+                        if address == add:
+                            #match found. break
+                            message = { "message": str(add) + " does already exist", "alert": "danger" }
+                            response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+                            redirect('/')
+                    #create the alias
+                    data = { "address": add, "forwards_to": username }
+                    r = requests.post(miab_url + "/mail/aliases/add", data=data, auth=(miab_admin, miab_passwd))
+                    if r.status_code == 200:
+                        message = { "message": str(add) + " has been created successfully", "alert": "success" }
+                        response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+                        redirect('/')
+                    else:
+                        message = { "message": "Something went wrong while creating " + str(add), "alert": "danger" }
+                        response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+                        redirect('/')
+            message = { "message":  str(add[(add.find("@")+1):]) + " is not a valid domain", "alert": "danger" }
+            response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+            redirect('/')
+        else:
+            message = { "message":  "You have reached the alias limit", "alert": "danger" }
+            response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+            redirect('/')
+    else:
+        redirect("/")
 
-#@post('/alias/add')
-#def add_alias():
-#    pass
-
-# delete alias
+# delete an email alias
 @post('/alias/delete')
 def delete_alias():
     username = logged_in()
     if username:
-        remove = request.forms.get('remove')
+        delete = request.forms.get('delete')
         aliases = get_aliases(username)
         for alias in aliases:
-            if alias == remove:
+            if alias == delete:
                 #remove the alias
-                #requests.post()
-                message = { "message": "The alias " + str(remove) + " has been removed successfully", "alert": "success" }
-                response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
-                redirect('/')
+                data = { "address": delete, }
+                r = requests.post(miab_url + "/mail/aliases/remove", data=data, auth=(miab_admin, miab_passwd))
+                if r.status_code == 200:
+                    message = { "message": "The alias " + str(delete) + " has been removed successfully", "alert": "success" }
+                    response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+                    redirect('/')
+                else:
+                    message = { "message": "Something went wrong while removing an alias", "alert": "danger" }
+                    response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
+                    redirect('/')
         message = { "message": "You're trying to do something filthy", "alert": "danger"}
         response.set_cookie(cookie_name + "_message", message, secret=cookie_secret, max_age=5, path="/")
         redirect('/')
@@ -206,7 +292,7 @@ def delete_alias():
 
 
 # run development webserver
-#run(host='localhost', port=8000, debug=True, reloader=True)
+run(host='localhost', port=8000, debug=True, reloader=True)
 
 # run prod server
-run(host='0.0.0.0', port=8000)
+#run(host='0.0.0.0', port=8000)
diff --git a/views/default.tpl b/views/default.tpl
index e39a2ec..d62f910 100644
--- a/views/default.tpl
+++ b/views/default.tpl
@@ -82,7 +82,7 @@
              Besides your primary email address you can use an alias to send your emails.<br>
              <small>Available domains: <b>@aundas.org</b>, <b>@socialnerds.org</b>,
              <b>@phlo.at</b>, <b>@gmur.ml</b>, <b>@socialg.it</b><br>
-             Be aware the limit of five active aliases.</small>
+             Be aware the limit of {{ max_aliases }} active aliases.</small>
           </p>
 
           %for alias in aliases:
@@ -90,31 +90,35 @@
             <form class="form-inline" action="/alias/delete", method="post">
               <div class="form-group">
                 <input type="text" class="form-control" id="deletealiasInput" value="{{ alias }}" disabled>
-                <input name="remove" type="hidden" class="form-control" id="deletealiasInput2" value="{{ alias }}">
+                <input name="delete" type="hidden" class="form-control" id="deletealiasInput2" value="{{ alias }}">
               </div>
               <button type="submit" class="btn btn-danger">delete</button>
             </form>
             </p>
           %end
-
-          <form class="form-inline">
-            <div class="form-group">
-              <input type="email" class="form-control" id="ceatealiasInput" placeholder="alias@socialnerds.org">
-            </div>
-            <button type="submit" class="btn btn-primary">create</button>
-          </form>
-
+          <p>
+            <form class="form-inline" action="/alias/add", method="post">
+              <div class="form-group">
+                <input name="add" type="email" class="form-control" id="ceatealiasInput" placeholder="alias@socialnerds.org">
+              </div>
+              %if len(aliases) < max_aliases:
+                <button type="submit" class="btn btn-primary">create</button>
+              %else:
+                <button type="submit" class="btn btn-primary">create</button disabled>
+              %end
+            </form>
+          </p>
 
       </div>
 
       <div class="starter-template">
         <h2>Delete account</h2>
           <hr>
-          <p>Entering your full account name and hitting the delete button will render your <a href="https://socialnerds.org/account">SocialNerds account</a> unavailable and <b>remove all data from your servers</b>.<br><small>The actual removal will happen within a week.</small></p>
+          <p>Entering your password and hitting the delete button will render your <a href="https://socialnerds.org/account">SocialNerds account</a> unavailable and <b>remove all data from your servers</b>.<br><small>The actual removal will happen within a week.</small></p>
 
           <form class="form-inline">
             <div class="form-group">
-              <input type="email" class="form-control" id="deleteaccountInput" placeholder="{{ username }}">
+              <input name="password" type="password" class="form-control" id="deleteaccountInput" placeholder="Password">
             </div>
             <button type="submit" class="btn btn-danger">delete</button>
           </form>