diff --git a/proftpd-basic.conf.patch b/proftpd-basic.conf.patch
index 18dc828..0fb270e 100644
--- a/proftpd-basic.conf.patch
+++ b/proftpd-basic.conf.patch
@@ -38,7 +38,7 @@ Index: sample-configurations/basic.conf
  
  # To prevent DoS attacks, set the maximum number of child processes
  # to 30.  If you need to allow more than 30 concurrent connections
-@@ -23,43 +33,192 @@ Umask				022
+@@ -23,43 +33,210 @@ Umask				022
  # in standalone mode, in inetd mode you should use an inetd server
  # that allows you to limit maximum number of processes per service
  # (such as xinetd).
@@ -170,7 +170,7 @@ Index: sample-configurations/basic.conf
  </Limit>
  
 +#####
-+# Include other confs
++# Include other confs, e.g. tls.conf
 +#Include			/etc/proftpd/conf.d/*.conf
 +
 +#####
@@ -206,6 +206,14 @@ Index: sample-configurations/basic.conf
 +	#	Deny from All
 +	#</Limit>
 +
++	## or 'Include' a limit file with rules
++	## include one file and use more than once ;)
++	#<Limit LOGIN>
++	#	Order Allow,Deny
++	#	Include /etc/proftpd/includes/limit.conf
++	#	Deny from All
++	#</Limit>
++
 +	# Limit WRITE everywhere in the anonymous chroot
 +	<Limit WRITE>
 +		DenyAll
@@ -246,14 +254,24 @@ Index: sample-configurations/basic.conf
 +	#  </Limit>
 +	#</Directory>
 +
++	## or 'Include' a limit file with rules
++	## include one file and use more than once ;)
++	#<Directory pub>
++	#  <Limit ALL>
++	#	Order Allow,Deny
++	#	Include /etc/proftpd/includes/limit.conf
++	#	Deny from All
++	#  </Limit>
++	#</Directory>
++
 +	# An upload directory that allows storing files but not retrieving
 +	# or creating directories.
 +	#<Directory uploads/*>
 +	#  <Limit READ>
-+		DenyAll
++	#	DenyAll
 +	#  </Limit>
 +	#  <Limit STOR>
-+		AllowAll
++	#	AllowAll
 +	#  </Limit>
 +	#</Directory>
  </Anonymous>
diff --git a/proftpd-limit.template b/proftpd-limit.template
new file mode 100644
index 0000000..a9c283c
--- /dev/null
+++ b/proftpd-limit.template
@@ -0,0 +1,6 @@
+### when you use spaces as separator then you can use it also with apache ;)
+### just some examples
+    Allow from localhost 127.0.0.1 ::1
+    Allow from 1.2.3.4 5.6.7.8
+    Allow from .example.com .test.org
+    Allow from 2.3.4.5 11:22:33:44::/64
diff --git a/proftpd-ssl.README b/proftpd-ssl.README
new file mode 100644
index 0000000..b83c7a8
--- /dev/null
+++ b/proftpd-ssl.README
@@ -0,0 +1,16 @@
+Place your CA.crt, crt and key file here and create sysmlinks like following ...
+
+ssl
+├── proftpd.cacert.pem -> CA.crt
+├── proftpd.cert.pem -> wildcard.example.com.crt
+├── proftpd.key.pem -> wildcard.example.com.pem
+├── CA.crt
+├── wildcard.example.com.crt
+└── wildcard.example.com.pem
+
+then:
+copy conf.d/tls.template to conf.d/tls.conf
+
+finally:
+uncomment '#Include  /etc/proftpd/conf.d/*.conf' in proftp.conf
+
diff --git a/proftpd-tls.template b/proftpd-tls.template
new file mode 100644
index 0000000..ff95802
--- /dev/null
+++ b/proftpd-tls.template
@@ -0,0 +1,38 @@
+###############################################################################
+# http://www.proftpd.org/docs/contrib/mod_tls.html
+###############################################################################
+<IfModule mod_dso.c>
+    # If mod_tls was built as a shared/DSO module, load it
+    LoadModule mod_tls.c
+</IfModule>
+
+<IfModule mod_tls.c>
+    TLSEngine                  on
+    TLSLog                     /var/log/proftpd/tls.log
+
+    # Support both SSLv3 and TLSv1
+    TLSProtocol                SSLv3 TLSv1
+
+    # Are clients required to use FTP over TLS when talking to this server?
+    TLSRequired                off
+
+    # Server's RSA certificate
+    TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
+    TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
+
+    # CA (or CA chain) the server trusts
+    TLSCACertificateFile        /etc/proftpd/ssl/proftpd.cacert.pem
+
+    # Authenticate clients that want to use FTP over TLS?
+    TLSVerifyClient            off
+
+    # Allow SSL/TLS renegotiations when the client requests them, but
+    # do not force the renegotations.  Some clients do not support
+    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
+    # clients will close the data connection, or there will be a timeout
+    # on an idle data connection.
+    TLSRenegotiate none
+
+    # Should Server request a Clients Certificate and send valid CA list ?
+    TLSOptions                 NoCertRequest NoSessionReuseRequired
+</IfModule>
diff --git a/proftpd.changes b/proftpd.changes
index edb4924..02ebad4 100644
--- a/proftpd.changes
+++ b/proftpd.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Mar  6 22:32:07 UTC 2017 - chris@computersalat.de
+
+- fix and update proftpd-basic.conf.patch
+- add some sample config and templates for tls
+  * proftpd-tls.template
+  * proftpd-limit.conf
+  * proftpd-ssl.README
+
 -------------------------------------------------------------------
 Sun Feb  5 20:03:18 UTC 2017 - chris@computersalat.de
 
diff --git a/proftpd.spec b/proftpd.spec
index ebf8cf5..86e2ecf 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -32,6 +32,9 @@ Source12:       %{name}.passwd
 Source13:       %{name}.service
 Source14:       %{name}.tmpfile
 Source15:       %{name}.keyring
+Source16:       %{name}-tls.template
+Source17:       %{name}-limit.template
+Source18:       %{name}-ssl.README
 #PATCH-FIX-openSUSE: pam, logrotate, xinet
 Patch100:       %{name}-dist.patch
 #PATCH-FIX-openSUSE: provide a useful default config
@@ -190,8 +193,11 @@ export CXXFLAGS="$CFLAGS"
 %{__install} -D -m 0755 contrib/ftpasswd $RPM_BUILD_ROOT%{_sbindir}/
 
 # some needed dirs
-%{__install} -d $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/{conf.d,auth}
-%{__install} -m 0440 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd
+%{__install} -D -m 0440 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd
+%{__install} -D -m 0644 %{S:16} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/conf.d/tls.template
+%{__install} -D -m 0644 %{S:18} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/conf.d/README
+%{__install} -D -m 0644 %{S:17} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/includes/limit.template
+%{__install} -D -m 0644 %{S:18} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/ssl/README
 %{__install} -d -m 0750 $RPM_BUILD_ROOT/var/log/%{name}
 
 # systemd vs SysVinit
@@ -261,9 +267,15 @@ export CXXFLAGS="$CFLAGS"
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/
 %dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/
 %config(noreplace) %attr(0440,root,ftp) %{_sysconfdir}/%{name}/auth/passwd
-%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d
+%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d/
+%config %{_sysconfdir}/%{name}/conf.d/tls.template
+%config %{_sysconfdir}/%{name}/conf.d/README
+%dir %attr(0755,root,root) %{_sysconfdir}/%{name}/includes/
+%config %{_sysconfdir}/%{name}/includes/limit.template
 %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf
 %{_sysconfdir}/%{name}/PROFTPD-MIB.txt
+%dir %attr(0700,ftp,ftp) %{_sysconfdir}/%{name}/ssl/
+%config %{_sysconfdir}/%{name}/ssl/README
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %config(noreplace) %{_sysconfdir}/pam.d/%{name}
 %config(noreplace) %{_sysconfdir}/xinetd.d/%{name}