diff --git a/.secrets/sgx/relay.yaml b/.secrets/sgx/relay.yaml
new file mode 100644
index 0000000..007ebd2
--- /dev/null
+++ b/.secrets/sgx/relay.yaml
@@ -0,0 +1,30 @@
+sasl_passwd: ENC[AES256_GCM,data:g2titpP1BJJVKtf28nNMMt0Ih07X7Hbo0X8WPM8vzx6elk9bg2F3zYeyL+3mX8TA5f0j5czaArdzImtV2yeP,iv:trWQ8dkgLlkt6ZEn+smGRCymwSQ1PT9/5+IDAA2dBBs=,tag:8m2kgVcozz/nXh1Pjux9tg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age149fqcw5jze00vd7jauylrp4j5xyv7amlu57jjfuzghkqtzlnxajs704uz3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2R2VtQzk0b051NC9yRGh6
+            cWlUM2xDZkJGYWQvTDZneWVBYlJJNCtqV0VnCnY5NjJpZ2VBL215bWpHTWFicXVF
+            WDFsUnI2cU5BRi8vMWZrT3lKU25EbmsKLS0tIE9iVXNTK2laSEhMb0RDWmJoSEhF
+            SG8vblBGczBITUVCWlEwdCt6TExDb28KyNeytOtFgmCIb7guFaMkXscywFwMDgwH
+            eXAXxmyLytCD0BJzySOkiyVU3KBxLKR5dKmlXdP5nbYp490A2CFHrA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUm16d0NrUS95VVB3MmI4
+            WnZuaEZMZXlzcGZpU2xVREdWaG43UkZna1hJCnpSZHd1VjZENlRrNUJZY21lenJi
+            Vm42cThZY3Q1TVBuSTFMVzQ0VW9UZEUKLS0tIFpkYXNvOGhkdVBNTFY0cENoNWtI
+            TjBUM3NhdXdRNmE4S2hZZWdDNFhsKzgKhr/h3AB5QrXtw3cU8Uj05mUVvwiXWnkD
+            QGIUXkeYGRpydARKtqS+JRfhBEqNvbGA7ZQfRl6nthVQW6+Z4A/meA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-21T07:23:21Z"
+    mac: ENC[AES256_GCM,data:CYBVtcCA+9VnoywXYKDnwW4CQ+ej6Z1mJjXeVOa2QnTICLmjFYw8RXlq/MiXOICUUR14/f5MkEZ2cDpfT75VMtnR7H/8/fyztyhrqADE7Zq17I46OY/9DQSPVn0bIHkxIObMV4/zUZlKxEjPIqs5E9q3bYVbBNcvmFTatlwguuQ=,iv:33edv7Y0OIgrQqhW+K5EAZKqr+WRyJGG7EKBwNIAqSQ=,tag:udCcDkdNmPxLbcfXk2qfFA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
diff --git a/systems/x86_64-linux/sgx/mail.nix b/systems/x86_64-linux/sgx/mail.nix
index c8b67db..5b81cba 100644
--- a/systems/x86_64-linux/sgx/mail.nix
+++ b/systems/x86_64-linux/sgx/mail.nix
@@ -4,7 +4,27 @@
     mailutils
     mutt
   ];
-  services.postfix.enable = true;
-  services.postfix.rootAlias = config.metacfg.user.name;
-  services.postfix.extraAliases = "admin: root";
+
+  services.postfix = {
+    enable = true;
+    relayHost = "smtp.gmail.com";
+    relayPort = 587;
+    rootAlias = "harald.hoyer@gmail.com";
+    extraAliases = "admin: root";
+    config = {
+      smtp_use_tls = "yes";
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_security_options = "";
+      smtp_sasl_password_maps = "texthash:${config.sops.secrets.sasl_passwd.path}";
+      # optional: Forward mails to root (e.g. from cron jobs, smartd)
+      # to me privately and to my work email:
+      virtual_alias_maps = "inline:{ {root=you@gmail.com, you@work.com} }";
+    };
+  };
+
+  sops.secrets.sasl_passwd = {
+    sopsFile = ../../../.secrets/sgx/relay.yaml; # bring your own password file
+    owner = config.services.postfix.user;
+  };
+
 }