Nullmailer and systemd services

I’m trying to get vaultwarden to send mails though nullmailer relay on NixOS. I installed them both as services with added glue configuration but somehow they don’t play nicely together. Vaultwarden is able to call sendmail wrapper from nullmailer and a new email is created inside /var/spool/nullmailer/queue/. However, the email file is owned by vaultwarden user and group and has 600 permissions, so nullmailer is not able to read and deliver it.

If I understand it correctly, sendmail wrapper has setgid bit set and should run under nullmailer identity. Why does it then create files owned by vaultwarden? I even did chmod -R ug+s /var/spool/nullmailer to ensure new files are owned by nullmailer to no success.

I’ve tried searching GitHub for nullmailer examples across nix language repos, but couldn’t find anything that would actually try to make another systemd service to use nullmailer.

What am I missing (besides in depth understanding of systemd :slight_smile: ?

Here is my config:

  services.nullmailer = {
    enable = true;
    setSendmail = true;
    remotesFile = "...";
    config = {
      me = domain;
      defaulthost = domain;
      defaultdomain = domain;
      allmailfrom = admin;
      adminaddr = admin;

  services.vaultwarden = {
    enable = true;
    environmentFile = "...";
    config = {
      DOMAIN = "https://...";
      USE_SENDMAIL = true;
      SENDMAIL_COMMAND = "${}/sendmail";
      SMTP_FROM = "...";

  users.users.vaultwarden.extraGroups = [ ]; = {
    serviceConfig = {
      # Not sure which of this or the users.users.vaultwarden.extraGroups is required
      SupplementaryGroups = [ ];
      ReadWritePaths = [ "/var/spool/nullmailer/" ];

Did you succeed? I’m hitting the same issue.

In my setup - there is a systemd timer that is triggering the run of a script. That script calls mail which in turn is nullmailer.

I see that the email is actually being queued - but the nullmailer-send never manages to pick it up and deliver it (possibly a permission problem?)

If I were to add to the script - a nullmailer-send … then the email is delivered… but then I end up with an orphaned nullmailler-send

Unfortunately, not. That’s still an issue. I had to use the real SMTP config in vaultwarden, which is not ideal :frowning: