diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix
index d106c0f..597a2f1 100644
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@@ -93,7 +93,25 @@ in {
       serviceConfig = {
         Type = "oneshot";
         User = "mailman";
+        NoNewPrivileges = true;
+        # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
         PrivateTmp = true;
+        ProtectHome = true;
+        ReadOnlyPaths = "/";
+        ReadWritePaths = "/tmp";
+        InaccessiblePaths = "-/lost+found";
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
       };
     };