Nullmailer and systemd services

I’m trying to get vaultwarden to send mails though nullmailer relay on NixOS. I installed them both as services with added glue configuration but somehow they don’t play nicely together. Vaultwarden is able to call sendmail wrapper from nullmailer and a new email is created inside /var/spool/nullmailer/queue/. However, the email file is owned by vaultwarden user and group and has 600 permissions, so nullmailer is not able to read and deliver it.

If I understand it correctly, sendmail wrapper has setgid bit set and should run under nullmailer identity. Why does it then create files owned by vaultwarden? I even did chmod -R ug+s /var/spool/nullmailer to ensure new files are owned by nullmailer to no success.

I’ve tried searching GitHub for nullmailer examples across nix language repos, but couldn’t find anything that would actually try to make another systemd service to use nullmailer.

What am I missing (besides in depth understanding of systemd :slight_smile: ?

Here is my config:

  services.nullmailer = {
    enable = true;
    setSendmail = true;
    remotesFile = "...";
    config = {
      me = domain;
      defaulthost = domain;
      defaultdomain = domain;
      allmailfrom = admin;
      adminaddr = admin;

  services.vaultwarden = {
    enable = true;
    environmentFile = "...";
    config = {
      DOMAIN = "https://...";
      USE_SENDMAIL = true;
      SENDMAIL_COMMAND = "${}/sendmail";
      SMTP_FROM = "...";

  users.users.vaultwarden.extraGroups = [ ]; = {
    serviceConfig = {
      # Not sure which of this or the users.users.vaultwarden.extraGroups is required
      SupplementaryGroups = [ ];
      ReadWritePaths = [ "/var/spool/nullmailer/" ];

Did you succeed? I’m hitting the same issue.

In my setup - there is a systemd timer that is triggering the run of a script. That script calls mail which in turn is nullmailer.

I see that the email is actually being queued - but the nullmailer-send never manages to pick it up and deliver it (possibly a permission problem?)

If I were to add to the script - a nullmailer-send … then the email is delivered… but then I end up with an orphaned nullmailler-send

Unfortunately, not. That’s still an issue. I had to use the real SMTP config in vaultwarden, which is not ideal :frowning:

FWIW - I can ‘force’ the queue to empty out and send… but doing

$ sudo nullmailer-send

Then I can CTRL-C to terminate this sender once it’s sent the emails in the queue.

Clearly not an ideal solution - but it shows that I can get email delivered that is created by a systemd timer task. This probably only confirms that there is some sort of permission issue here.