diff --git a/nixos/queen/configuration.nix b/nixos/queen/configuration.nix
index 4f5c1a9..a8f2bb2 100644
--- a/nixos/queen/configuration.nix
+++ b/nixos/queen/configuration.nix
@@ -60,8 +60,8 @@
   sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name;
   sops.secrets."local.json".mode = "0440";
   sops.secrets."local.json".owner = config.users.users.onlyoffice.name;
-  #sops.secrets."mailpass".mode = "0440";
-  #sops.secrets."mailpass".owner = config.users.users.virtualMail.name;
+  sops.secrets."mailpass".mode = "0440";
+  sops.secrets."mailpass".owner = config.users.users.virtualMail.name;
 
   nix = {
     gc = {
diff --git a/nixos/queen/mail-server.nix b/nixos/queen/mail-server.nix
index 6be157a..413f5ae 100644
--- a/nixos/queen/mail-server.nix
+++ b/nixos/queen/mail-server.nix
@@ -1,6 +1,7 @@
 {
   inputs,
   outputs,
+  lib,
   config,
   pkgs,
   ...
@@ -15,6 +16,8 @@
     })
   ];
 
+  users.groups.virtualMail = {};
+
   users.users = {
     virtualMail = {
       isSystemUser = true;
@@ -26,12 +29,21 @@
     enable = true;
     fqdn = "mail.gladtherescake.eu";
     domains = ["nextcloud.gladtherescake.eu"];
+    mailserver.enableImapSsl = true;
 
     loginAccounts = {
       "no-reply@nextcloud.gladtherescake.eu" = {
         hashedPasswordFile = config.sops.secrets."mailpass".path;
-        aliases = ["postmaster@nextcloud.gladtherescake.eu" "abuse@nextcloud.gladtherescake.eu" "security@nextcloud.gladtherescake.eu"];
       };
     };
+    forwards = {
+      "abuse@nextcloud.gladtherescake.eu" = "nextcloud@gladtherescake.eu";
+      "postmaster@nextcloud.gladtherescake.eu" = "nextcloud@gladtherescake.eu";
+    };
+    openFirewall = true;
+    mailserver.rejectRecipients = ["no-reply@nextcloud.gladtherescake.eu"];
+    certificateScheme = "acme-nginx";
   };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "letsencryp@gladtherescake.eu";
 }