diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix
index 4d7f950..76eadb1 100644
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@@ -148,6 +148,7 @@ in {
             # In order to accept mail that we only forward
             # without having to generate an account.
             # Invalid addresses are filtered by DFN beforehand.
+            # See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
             catch-all = true;
             relay = [
               {
@@ -267,6 +268,7 @@ in {
         "stalwart-mail" = {
           restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
           serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
+          serviceConfig.ProtectSystem = lib.mkForce "full"; # "strict" does not allow writing to /tmp which we need for unpacking the webadmin interface. "full" is less strict.
         };
         "virt-aliases-generator" = {
           description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";