diff --git a/nixos/modules/services/mail/postfix-tlspol.nix b/nixos/modules/services/mail/postfix-tlspol.nix
index 01373659da4a..e86c65384663 100644
--- a/nixos/modules/services/mail/postfix-tlspol.nix
+++ b/nixos/modules/services/mail/postfix-tlspol.nix
@@ -10,6 +10,7 @@ let
     hasPrefix
     mkEnableOption
     mkIf
+    mkMerge
     mkOption
     mkPackageOption
     types
@@ -121,100 +122,111 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
-    environment.etc."postfix-tlspol/config.yaml".source =
-      format.generate "postfix-tlspol.yaml" cfg.settings;
-
-    environment.systemPackages = [ cfg.package ];
-
-    # https://github.com/Zuplu/postfix-tlspol#postfix-configuration
-    services.postfix.config = mkIf (config.services.postfix.enable && cfg.configurePostfix) {
-      smtp_dns_support_level = "dnssec";
-      smtp_tls_security_level = "dane";
-      smtp_tls_policy_maps =
-        let
-          address =
-            if (hasPrefix "unix:" cfg.settings.server.address) then
-              cfg.settings.server.address
-            else
-              "inet:${cfg.settings.server.address}";
-        in
-        [ "socketmap:${address}:QUERYwithTLSRPT" ];
-    };
-
-    systemd.services.postfix-tlspol = {
-      after = [
-        "nss-lookup.target"
-        "network-online.target"
-      ];
-      wants = [
-        "nss-lookup.target"
-        "network-online.target"
-      ];
-      wantedBy = [ "multi-user.target" ];
-
-      description = "Postfix DANE/MTA-STS TLS policy socketmap service";
-      documentation = [ "https://github.com/Zuplu/postfix-tlspol" ];
-
-      # https://github.com/Zuplu/postfix-tlspol/blob/main/init/postfix-tlspol.service
-      serviceConfig = {
-        ExecStart = toString [
-          (lib.getExe cfg.package)
-          "-config"
-          "/etc/postfix-tlspol/config.yaml"
-        ];
-        ExecReload = "${lib.getExe' pkgs.util-linux "kill"} -HUP $MAINPID";
-        Restart = "always";
-        RestartSec = 5;
-
-        DynamicUser = true;
-
-        CacheDirectory = "postfix-tlspol";
-        CapabilityBoundingSet = [ "" ];
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        ReadOnlyPaths = [ "/etc/postfix-tlspol/config.yaml" ];
-        RemoveIPC = true;
-        RestrictAddressFamilies =
-          [
-            "AF_INET"
-            "AF_INET6"
-          ]
-          ++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
-            "AF_UNIX"
-          ];
-        RestrictNamespace = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged @resources"
-        ];
-        SystemCallErrorNumber = "EPERM";
-        SecureBits = [
-          "noroot"
-          "noroot-locked"
-        ];
-        RuntimeDirectory = "postfix-tlspol";
-        RuntimeDirectoryMode = "1750";
-        WorkingDirectory = "/var/cache/postfix-tlspol";
-        UMask = "0117";
+  config = mkMerge [
+    (mkIf (cfg.enable && config.services.postfix.enable && cfg.configurePostfix) {
+      # https://github.com/Zuplu/postfix-tlspol#postfix-configuration
+      services.postfix.config = {
+        smtp_dns_support_level = "dnssec";
+        smtp_tls_security_level = "dane";
+        smtp_tls_policy_maps =
+          let
+            address =
+              if (hasPrefix "unix:" cfg.settings.server.address) then
+                cfg.settings.server.address
+              else
+                "inet:${cfg.settings.server.address}";
+          in
+          [ "socketmap:${address}:QUERYwithTLSRPT" ];
       };
-    };
-  };
+
+      systemd.services.postfix = {
+        wants = [ "postfix-tlspol.service" ];
+        after = [ "postfix-tlspol.service" ];
+      };
+
+      users.users.postfix.extraGroups = [ "postfix-tlspol" ];
+    })
+
+    (mkIf cfg.enable {
+      environment.etc."postfix-tlspol/config.yaml".source =
+        format.generate "postfix-tlspol.yaml" cfg.settings;
+
+      environment.systemPackages = [ cfg.package ];
+
+      systemd.services.postfix-tlspol = {
+        after = [
+          "nss-lookup.target"
+          "network-online.target"
+        ];
+        wants = [
+          "nss-lookup.target"
+          "network-online.target"
+        ];
+        wantedBy = [ "multi-user.target" ];
+
+        description = "Postfix DANE/MTA-STS TLS policy socketmap service";
+        documentation = [ "https://github.com/Zuplu/postfix-tlspol" ];
+
+        # https://github.com/Zuplu/postfix-tlspol/blob/main/init/postfix-tlspol.service
+        serviceConfig = {
+          ExecStart = toString [
+            (lib.getExe cfg.package)
+            "-config"
+            "/etc/postfix-tlspol/config.yaml"
+          ];
+          ExecReload = "${lib.getExe' pkgs.util-linux "kill"} -HUP $MAINPID";
+          Restart = "always";
+          RestartSec = 5;
+
+          DynamicUser = true;
+
+          CacheDirectory = "postfix-tlspol";
+          CapabilityBoundingSet = [ "" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          ReadOnlyPaths = [ "/etc/postfix-tlspol/config.yaml" ];
+          RemoveIPC = true;
+          RestrictAddressFamilies =
+            [
+              "AF_INET"
+              "AF_INET6"
+            ]
+            ++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
+              "AF_UNIX"
+            ];
+          RestrictNamespace = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged @resources"
+          ];
+          SystemCallErrorNumber = "EPERM";
+          SecureBits = [
+            "noroot"
+            "noroot-locked"
+          ];
+          RuntimeDirectory = "postfix-tlspol";
+          RuntimeDirectoryMode = "1750";
+          WorkingDirectory = "/var/cache/postfix-tlspol";
+          UMask = "0117";
+        };
+      };
+    })
+  ];
 }
diff --git a/nixos/tests/postfix-tlspol.nix b/nixos/tests/postfix-tlspol.nix
index 0c76257f6a5a..158540ff676a 100644
--- a/nixos/tests/postfix-tlspol.nix
+++ b/nixos/tests/postfix-tlspol.nix
@@ -8,6 +8,7 @@
   meta.maintainers = with lib.maintainers; [ hexa ];
 
   nodes.machine = {
+    services.postfix.enable = true;
     services.postfix-tlspol.enable = true;
   };
 
@@ -17,6 +18,7 @@
     import json
 
     machine.wait_for_unit("postfix-tlspol.service")
+    machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol")
 
     with subtest("Interact with the service"):
       machine.succeed("postfix-tlspol -purge")