diff --git a/nixos/modules/services/mail/postfix-tlspol.nix b/nixos/modules/services/mail/postfix-tlspol.nix
index e86c65384663..16f04628c809 100644
--- a/nixos/modules/services/mail/postfix-tlspol.nix
+++ b/nixos/modules/services/mail/postfix-tlspol.nix
@@ -153,6 +153,12 @@ in
 
       environment.systemPackages = [ cfg.package ];
 
+      users.users.postfix-tlspol = {
+        isSystemUser = true;
+        group = "postfix-tlspol";
+      };
+      users.groups.postfix-tlspol = { };
+
       systemd.services.postfix-tlspol = {
         after = [
           "nss-lookup.target"
@@ -178,7 +184,8 @@ in
           Restart = "always";
           RestartSec = 5;
 
-          DynamicUser = true;
+          User = "postfix-tlspol";
+          Group = "postfix-tlspol";
 
           CacheDirectory = "postfix-tlspol";
           CapabilityBoundingSet = [ "" ];
@@ -208,7 +215,7 @@ in
             ++ lib.optionals (lib.hasPrefix "unix:" cfg.settings.server.address) [
               "AF_UNIX"
             ];
-          RestrictNamespace = true;
+          RestrictNamespaces = true;
           RestrictRealtime = true;
           RestrictSUIDSGID = true;
           SystemCallArchitectures = "native";
diff --git a/nixos/tests/postfix-tlspol.nix b/nixos/tests/postfix-tlspol.nix
index 158540ff676a..64da3703239a 100644
--- a/nixos/tests/postfix-tlspol.nix
+++ b/nixos/tests/postfix-tlspol.nix
@@ -18,7 +18,7 @@
     import json
 
     machine.wait_for_unit("postfix-tlspol.service")
-    machine.succeed("systemctl show -P SupplementaryGroups postfix.service | grep postfix-tlspol")
+    machine.succeed("getent group postfix-tlspol | grep :postfix")
 
     with subtest("Interact with the service"):
       machine.succeed("postfix-tlspol -purge")
@@ -26,6 +26,8 @@
       response = json.loads((machine.succeed("postfix-tlspol -query localhost")))
       machine.log(json.dumps(response, indent=2))
 
+
+    machine.log(machine.execute("systemd-analyze security postfix-tlspol.service | grep -v ✓")[1])
   '';
 
 }