diff --git a/mail-server.nix b/mail-server.nix
index 3cbc816..18b87b4 100644
--- a/mail-server.nix
+++ b/mail-server.nix
@@ -258,6 +258,10 @@ in {
     ];
 
     virtualisation.arion.projects.mail-server.settings = let
+      redisPasswdFile =
+        pkgs.lib.passwd.stablerandom-password-file "mail-server-redis-passwd"
+        config.instance.build-seed;
+
       image = { pkgs, ... }: {
         project.name = "mail-server";
         networks = {
@@ -401,6 +405,7 @@ in {
               ];
               capabilities.SYS_ADMIN = true;
               depends_on = [ "antivirus" "redis" ];
+              volumes = [ "${redisPasswdFile}:/run/redis.passwd" ];
             };
             nixos = {
               useSystemd = true;
@@ -419,6 +424,7 @@ in {
                     host = "antivirus";
                     port = antivirusPort;
                   };
+                  redis.password-file = "/run/redis.passwd";
                 };
               };
             };
@@ -469,7 +475,10 @@ in {
           };
           redis = {
             service = {
-              volumes = [ "${cfg.state-directory}/redis:/var/lib/redis" ];
+              volumes = [
+                "${cfg.state-directory}/redis:/var/lib/redis"
+                "${redisPasswdFile}:/run/redis/passwd"
+              ];
               networks = [ "redis_network" ];
             };
             nixos = {
@@ -482,6 +491,7 @@ in {
                   # null -> all
                   bind = null;
                   port = 6379;
+                  requirePassFile = "/run/redis/passwd";
                 };
               };
             };
diff --git a/rspamd.nix b/rspamd.nix
index c5bfe1d..bcecffc 100644
--- a/rspamd.nix
+++ b/rspamd.nix
@@ -37,6 +37,11 @@ in {
         description = "Port at which to reach ClamAV";
       };
     };
+
+    redis.password-file = {
+      type = str;
+      description = "Password with which to connect to Redis.";
+    };
   };
 
   config = mkIf cfg.enable {
@@ -46,7 +51,8 @@ in {
       port = cfg.ports.metrics;
     };
 
-    services.rspamd = {
+    services.rspamd = let redisPasswd = readFile cfg.redis.password-file;
+    in {
       enable = true;
 
       locals = {
@@ -59,6 +65,7 @@ in {
             type = "clamav";
             log_clean = true;
             servers = "${cfg.antivirus.host}:${toString cfg.antivirus.port}";
+            password = "${redisPasswd}";
             scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all
           }
         '';
@@ -79,6 +86,7 @@ in {
         "dmark.conf".text = ''
           dmarc = {
             servers = "redis";
+            password = "${redisPasswd}";
           }
         '';
 
@@ -86,6 +94,7 @@ in {
           enabled = true;
 
           servers = "redis";
+          password = "${redisPasswd}";
 
           timeout = 10.0;
 
@@ -102,6 +111,7 @@ in {
               }
               backend "redis" {
                 servers = "redis";
+                password = "${redisPasswd}";
               }
 
               symbol = "IP_REPUTATION";
@@ -111,6 +121,7 @@ in {
               }
               backend "redis" {
                 servers = "redis";
+                password = "${redisPasswd}";
               }
 
               symbol = "SPF_REPUTATION";
@@ -120,6 +131,7 @@ in {
               }
               backend "redis" {
                 servers = "redis";
+                password = "${redisPasswd}";
               }
 
               symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
@@ -130,6 +142,7 @@ in {
               }
               backend "redis" {
                 servers = "redis";
+                password = "${redisPasswd}";
               }
 
               symbol = "GENERIC_REPUTATION";