diff --git a/flake.lock b/flake.lock
index e62f8b8..e346d6a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -78,6 +78,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "buildbot-nix": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -298,6 +314,22 @@
         "type": "github"
       }
     },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -715,6 +747,7 @@
         ],
         "nix-gerrit": "nix-gerrit",
         "nixpkgs": "nixpkgs_2",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "terranix": "terranix"
       }
     },
@@ -747,6 +780,29 @@
         "url": "https://static.rust-lang.org/dist/channel-rust-1.78.0.toml"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_5",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-24_05": []
+      },
+      "locked": {
+        "lastModified": 1722877200,
+        "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "stable": {
       "locked": {
         "lastModified": 1696039360,
diff --git a/flake.nix b/flake.nix
index bad4960..cb00c24 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,6 +37,11 @@
       repo = "grapevine-fork";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
+    simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "";
+
   };
 
   outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
@@ -131,6 +136,7 @@
       buildbot.imports = commonModules ++ [ ./hosts/buildbot ];
       public01.imports = commonModules ++ [ ./hosts/public01 ];
       build-coord.imports = commonModules ++ [ ./hosts/build-coord ];
+      mail.imports = commonModules ++ [ ./hosts/mail ];
     } // builders;
 
     hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix
new file mode 100644
index 0000000..718b5f9
--- /dev/null
+++ b/hosts/mail/default.nix
@@ -0,0 +1,53 @@
+{ lib, modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  # TODO: change after adding dns
+  # deployment.targetHost = "mail.infra.forkos.org";
+  deployment.targetHost = "2a01:4f8:1c17:6866::1";
+
+  bagel.services.mail.enable = true;
+  bagel.sysadmin.enable = true;
+
+  networking = {
+    hostName = "mail";
+    domain = "infra.forkos.org";
+    dhcpcd.enable = false;
+    useNetworkd = true;
+    nameservers = [
+      # hetzner
+      "2a01:4ff:ff00::add:2"
+      "2a01:4ff:ff00::add:1"
+    ];
+  };
+
+  systemd.network = {
+    networks = {
+      "10-wan" = {
+        matchConfig.Name = "enp1s0";
+        address = [
+          "49.13.86.172/32"
+          "2a01:4f8:1c17:6866::1/64"
+          "fe80::9400:3ff:feba:39b9/64"
+        ];
+        routes = [
+          { Gateway = "fe80::1"; }
+          { Destination = "172.31.1.1"; }
+          {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          }
+        ];
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+  system.stateVersion = "23.11";
+}
diff --git a/services/default.nix b/services/default.nix
index 3009878..d6a7ceb 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -13,5 +13,6 @@
     ./buildbot
     ./newsletter
     ./s3-revproxy
+    ./mail
   ];
 }
diff --git a/services/mail/default.nix b/services/mail/default.nix
new file mode 100644
index 0000000..a84a638
--- /dev/null
+++ b/services/mail/default.nix
@@ -0,0 +1,35 @@
+{ config, lib, inputs, ... }: let
+  cfg = config.bagel.services.mail;
+  inherit (lib) mkEnableOption mkIf;
+in {
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+  options.bagel.services.mail = {
+    enable = mkEnableOption "E-Mail";
+  };
+  config = mkIf cfg.enable {
+    mailserver = {
+      enable = true;
+      fqdn = "mail.forkos.org";
+      domains = [
+        "vzfdfp.de"
+      ];
+      forwards = let
+        infraMembers = [
+          "forkos.janik@aq0.de"
+        ];
+        boardMembers = [
+          "vzfdfp.janik@aq0.de"
+        ];
+      in {
+        "abuse@vzfdfp.de" = infraMembers;
+        "postmaster@vzfdfp.de" = infraMembers;
+
+        "board@vzfdfp.de" = boardMembers;
+        "vorstand@vzfdfp.de" = boardMembers;
+      };
+      certificateScheme = "acme-nginx";
+    };
+  };
+}
diff --git a/terraform/dnsimple.nix b/terraform/dnsimple.nix
index 8236554..617e27f 100644
--- a/terraform/dnsimple.nix
+++ b/terraform/dnsimple.nix
@@ -119,9 +119,14 @@ in
           (record "cache" 300 "AAAA" "2a02:168:6426::12") # smol.delroth.net
           (record "cache" 300 "A" "195.39.247.161") # sni proxy
 
+          # misc
           (record "vpn-gw.wob01.infra" 300 "AAAA" "2a01:584:11::2")
 
           (dualProxyRecords "build-coord.wob01.infra" 300 "AAAA" "2a01:584:11::1:11")
+
+          (record "mail.infra.forkos.org" 300 "A" [ "49.13.86.172" ])
+          (record "mail.infra.forkos.org" 300 "AAAA" [ "2a01:4f8:1c17:6866::1" ])
+
           # TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
         ]
         ++ (map (index: record "builder-${toString index}.wob01.infra" 300 "AAAA" "2a01:584:11::1:${toString index}") (genList lib.id 11))
@@ -141,6 +146,9 @@ in
           (record "" 300 "ALIAS" "news.forkos.org")
         ];
         "vzfdfp.de" = [
+          (record "" 300 "MX" "10 mail.infra.forkos.org")
+          (record "_dmarc" 300 "TXT" "v=DMARC1; p=none") # TODO: Setup dmarc and dmarc exporer/monitoring
+          (record "mail._domainkey" 3600 "TXT" "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8Xy2Rytpa3X/9Or3gKqH0LTn/TD3BoLf77HtUu+GsAsZit+yIVz+zTt3NoNoYsygl2Qc27zAeJhcK3w7dbKVbuWlVBqBzrLP/QK1NqR499RUAwQfyQHZkI+BCTYEY5UkWrFAwZ7LeHgtqDNtbyeCdS7MTST0DhogtIqSJKpP0/QIDAQAB")
         ];
     };
   };