diff --git a/.sops.yaml b/.sops.yaml
index 6d555cf..10ec199 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
 
   - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
   - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
+  - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
 
 creation_rules:
   - path_regex: nixos/machines/nyarlathotep/.*
@@ -18,6 +19,12 @@ creation_rules:
         - *nerf
         - *gonne
         - *bragi
+  - path_regex: nixos/machines/lobon/.*
+    key_groups:
+      - age:
+        - *nerf
+        - *gonne
+        - *lobon
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:
diff --git a/nixos/machines/lobon/allowlistPass.yaml b/nixos/machines/lobon/allowlistPass.yaml
new file mode 100644
index 0000000..f78af8d
--- /dev/null
+++ b/nixos/machines/lobon/allowlistPass.yaml
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:H2J/Lfv0PjvDRinfIZfVUz8=,iv:zgu/5x2kugq5PHLze9js9kQQWNrgq07VKUUNdEXcZoE=,tag:o/oVShrYl2nTFFjvsyGC3g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByelVVT3hDcnczendsUUZl\nelArcW1yTHpnOE5KS0R5UEtEeTFoWFBWNVNjCkJIZTlZS1VZSXFUbmt5NTZwc1k2\nVmNMQTJPLzRxVXB6cGtiMXkvZXRyekUKLS0tIFZLdEdLUEZWM2pvMXpnbzFLZFov\nZkZGRVRnR2pqRy91SVYrbGt2UnZlckUKszynMc0Eci8N8E6CKCRVmry1IlvrikXo\nUEBsrCRQM44ABfkNPeci+8mtiM3cKanBkFSQWI8hymGF/Es2XK35Xg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRWo1NWZGMVI1RytXekJz\nais4cStCeVN3dGlMY2NvbmpTcmdNQ3ZjTWh3CitsaWEzUTR3T1dMZVNkQTBQc1B1\nWVU5bXlZUWNhMkNQN2Nuay9aUW1URzAKLS0tIHliOUFoVno5SHNRUWE4R0pGV0F4\nb3liS1ZpQmhoS0tTbE9UekNJNWNkSkEK82yDjqo089XMyi6mptGarErVjsRSZe0Q\nLSiNzNRyTjtII3FXx3xMvMajgH4xw9HZAKW9vGHlCJ9uDFT/O2UZFw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOTRpL1djYjVMaUZQVzZE\nckdIc1dxdW9Bckl0NFIycDNKL0RNeHRUZzNvCm5xTUVIQ3hnb2RPSEQxa3d3aWV3\ndnZhN1ovSVk3ODVMNFppdGptUVVoYnMKLS0tIDFiSEl6eTZFUkNwNnZoOEZWb1Nw\nZDRHWHJiNjRld2hZbm9mbUhYNzJjVUEKURXbmHjR20XyIoEZnTFc5X9s948tpLKF\ndo8Svj/GYRKmLiANUCUwTTbxDqZJwm0Xhw3FD7Q6MVYdU74fqLU4zA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-03-31T14:19:18Z",
+		"mac": "ENC[AES256_GCM,data:VBJFT6avZoJeh3JuXVxPWBMSPX5/pQUWYENhqjl2zAKwWZpe6CcRyrn1FSA+rcC0HGO1ZCo7koNt1HPYjEqAD9lkg90mC9o/f7kve0y/Zr/Dbd0sia1hcHXFgGWJt/goK0NvioNwCZCz1JgQB8mWHWiW7xJXJ8hRSLAlStEM/Ig=,iv:2I+cRgvisIJU7s9HeFopKTD3/GwTvbc2v/1puMXIttU=,tag:YKnf6dUfutBvOJWroqyuag==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
\ No newline at end of file
diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix
index 7241703..64ecc90 100644
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@@ -63,5 +63,38 @@ in {
     security.acme.acceptTerms = true;
 
     networking.firewall.allowedTCPPorts = [25 80 443];
+
+    # Update HRZ allowlist
+    #
+    systemd.timers."mailAllowlist" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "5m"; # Run every 5 minutes
+        OnUnitActiveSec = "5m";
+        RandomizedDelaySec = "1m"; # Randomized delay
+        Unit = "mailAllowlist.service";
+      };
+    };
+    systemd.services."mailAllowlist" = {
+      description = "Post the mail addresses used by mailman to the HRZ allow list";
+      script = ''
+        # Parse addresses
+        awk '{print $1}' /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > addresses
+        # Post addresses to HRZ
+        curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@addresses -F meldungen=voll
+        # Cleanup
+        rm addresses
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "mailman";
+      };
+    };
+    sops.secrets.allowlistPass = {
+      sopsFile = "../machines/lobon/allowlistPass.yaml";
+      owner = "mailman";
+      group = "mailman";
+      mode = "0400";
+    };
   };
 }