diff --git a/hosts/envoy/acme.nix b/hosts/envoy/acme.nix
index f818396..65a2986 100644
--- a/hosts/envoy/acme.nix
+++ b/hosts/envoy/acme.nix
@@ -22,7 +22,7 @@ in {
       };
       dnsProvider = "cloudflare";
       dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
+      reloadServices = ["nginx" "maddy"];
     };
     inherit (acme) certs wildcardDomains;
   };
diff --git a/hosts/envoy/maddy.nix b/hosts/envoy/maddy.nix
index b9a6a22..f739916 100644
--- a/hosts/envoy/maddy.nix
+++ b/hosts/envoy/maddy.nix
@@ -79,6 +79,8 @@ in {
   ];
 
   networking.firewall.allowedTCPPorts = [25 465 993];
+  users.groups.acme.members = ["maddy"];
+
   services.maddy = {
     enable = true;
     hostname = "mx1.${primaryDomain}";
@@ -119,7 +121,7 @@ in {
 
         table.chain local_rewrites {
             optional_step sql_query {
-                driver sqlite
+                driver sqlite3
                 dsn mailboxes.db
                 lookup "SELECT alias FROM aliases WHERE address = $1"
             }
diff --git a/hosts/envoy/secrets/local.nix.age b/hosts/envoy/secrets/local.nix.age
index bf125b7..30a13cf 100644
Binary files a/hosts/envoy/secrets/local.nix.age and b/hosts/envoy/secrets/local.nix.age differ
diff --git a/modules/config/users.nix b/modules/config/users.nix
index 5693e9d..8c00826 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -30,5 +30,6 @@
     fwupd-refresh = uidGid 979;
     radicale = uidGid 978;
     podman = uidGid 977;
+    maddy = uidGid 976;
   };
 }
diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age
index 52232d8..f59cbd6 100644
Binary files a/users/myuser/secrets/user.nix.age and b/users/myuser/secrets/user.nix.age differ