diff --git a/config/hosts/mail-2/acme.nix b/config/hosts/mail-2/acme.nix
new file mode 100644
index 0000000..c6a353c
--- /dev/null
+++ b/config/hosts/mail-2/acme.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  security.acme.certs = {
+    "mail-2.grzb.de" = {
+      listenHTTP = ":80";
+      reloadServices = [ "postfix.service" ];
+    };
+  };
+}
diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix
index 1b622c7..b4a7192 100644
--- a/config/hosts/mail-2/configuration.nix
+++ b/config/hosts/mail-2/configuration.nix
@@ -79,7 +79,7 @@
     useDHCP = false;
     firewall = {
       enable = true;
-      allowedTCPPorts = [ 25 ];
+      allowedTCPPorts = [ 25 80 ];
     };
   };
 
diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix
index 471f0d6..ab5c757 100644
--- a/config/hosts/mail-2/default.nix
+++ b/config/hosts/mail-2/default.nix
@@ -3,5 +3,6 @@
   imports = [
     ./configuration.nix
     ./postfix.nix
+    ./acme.nix
   ];
 }
diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix
index d81e999..eb88cdf 100644
--- a/config/hosts/mail-2/postfix.nix
+++ b/config/hosts/mail-2/postfix.nix
@@ -1,4 +1,5 @@
-{ ... }: {
+{ config, ... }:
+{
   # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
   services.postfix = {
     enable = true;
@@ -7,6 +8,8 @@
       "grzb.de"
       "nekover.se"
     ];
+    sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
+    sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
     extraConfig = ''
       message_size_limit = 20971520
       smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination