diff --git a/modules/mail.nix b/modules/mail.nix
index 5dae503..124393a 100644
--- a/modules/mail.nix
+++ b/modules/mail.nix
@@ -48,7 +48,8 @@
     };
   };
 
-  # Allow Stalwart to read the ACME certificate procured for Caddy
+  # Allow Stalwart to read the ACME certificate procured for Caddy and the agenix secret
   systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
+  systemd.services.stalwart.serviceConfig.ReadOnlyPaths = [ "/run/agenix/stalwart-admin" ];
 
 }