diff --git a/nixos/modules/services/mail/tlsrpt.nix b/nixos/modules/services/mail/tlsrpt.nix
index 732679c9b05a..83b219443fd0 100644
--- a/nixos/modules/services/mail/tlsrpt.nix
+++ b/nixos/modules/services/mail/tlsrpt.nix
@@ -270,9 +270,17 @@ in
       };
     };
 
-    systemd.services.postfix.serviceConfig.SupplementaryGroups = mkIf (
-      config.services.postfix.enable && cfg.collectd.configurePostfix
-    ) [ "tlsrpt" ];
+    users.users.tlsrpt = {
+      isSystemUser = true;
+      group = "tlsrpt";
+    };
+    users.groups.tlsrpt = { };
+
+    users.users.postfix.extraGroups =
+      lib.mkIf (config.services.postfix.enable && cfg.collectd.configurePostfix)
+        [
+          "tlsrpt"
+        ];
 
     systemd.services.tlsrpt-collectd = {
       description = "TLSRPT datagram collector";
diff --git a/nixos/tests/tlsrpt.nix b/nixos/tests/tlsrpt.nix
index d93ac78b5240..92a7d0cda78e 100644
--- a/nixos/tests/tlsrpt.nix
+++ b/nixos/tests/tlsrpt.nix
@@ -35,7 +35,7 @@
 
     # Enabling postfix should put sendmail as the sendmail setting
     machine.succeed("grep -q sendmail_script=sendmail /etc/tlsrpt/reportd.cfg")
-    machine.succeed("systemctl show --property SupplementaryGroups postfix.service | grep tlsrpt")
+    machine.succeed("getent group tlsrpt | grep -q postfix")
 
     machine.log(machine.succeed("systemd-analyze security tlsrpt-collectd.service tlsrpt-reportd.service | grep -v ✓"))
   '';