diff --git a/mail-server.nix b/mail-server.nix
index 5d91229..4c9c8df 100644
--- a/mail-server.nix
+++ b/mail-server.nix
@@ -254,6 +254,10 @@ in {
     ];
 
     virtualisation.arion.projects.mail-server.settings = let
+      redisPasswdFile =
+        pkgs.lib.passwd.stablerandom-passwd-file "mail-server-redis-passwd"
+        config.instance.build-seed;
+
       image = { pkgs, ... }: {
         project.name = "mail-server";
         networks = {
@@ -435,6 +439,7 @@ in {
                     host = "antivirus";
                     port = antivirusPort;
                   };
+                  redis.password = readFile redisPasswdFile;
                 };
               };
             };
@@ -501,9 +506,9 @@ in {
                 system.nssModules = lib.mkForce [ ];
                 services.redis.servers."rspamd" = {
                   enable = true;
-                  # null -> all
-                  bind = null;
+                  bind = null; # null -> all
                   port = redisPort;
+                  requirePassFile = "/run/redis/passwd";
                 };
               };
             };
diff --git a/rspamd.nix b/rspamd.nix
index c60a776..73671f1 100644
--- a/rspamd.nix
+++ b/rspamd.nix
@@ -48,6 +48,11 @@ in {
         type = port;
         default = 6379;
       };
+
+      password = mkOption {
+        type = str;
+        description = "Password with which to connect to Redis.";
+      };
     };
   };
 
@@ -71,6 +76,11 @@ in {
         locals = {
           "milter_headers.conf".text = "extended_spam_headers = yes;";
 
+          "redis.conf".text = ''
+            servers = "${cfg.redis.host}:${toString cfg.redis.port}";
+            password = "${cfg.redis.password}";
+          '';
+
           "antivirus.conf".text = ''
             clamav {
               action = "reject";
@@ -95,17 +105,9 @@ in {
             }
           '';
 
-          "dmarc.conf".text = ''
-            dmarc = {
-              servers = "${cfg.redis.host}:${toString cfg.redis.port}";
-            }
-          '';
-
           "mx_check.conf".text = ''
             enabled = true;
 
-            servers = "${cfg.redis.host}:${toString cfg.redis.port}";
-
             timeout = 10.0;
 
             exclude_domains = [
@@ -119,38 +121,22 @@ in {
               ip_reputation = {
                 selector "ip" {
                 }
-                backend "redis" {
-                  servers = "${cfg.redis.host}:${toString cfg.redis.port}";
-                }
-
                 symbol = "IP_REPUTATION";
               }
               spf_reputation =  {
                 selector "spf" {
                 }
-                backend "redis" {
-                  servers = "${cfg.redis.host}:${toString cfg.redis.port}";
-                }
-
                 symbol = "SPF_REPUTATION";
               }
               dkim_reputation =  {
                 selector "dkim" {
                 }
-                backend "redis" {
-                  servers = "${cfg.redis.host}:${toString cfg.redis.port}";
-                }
-
                 symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
               }
               generic_reputation =  {
                 selector "generic" {
                   selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
                 }
-                backend "redis" {
-                  servers = "${cfg.redis.host}:${toString cfg.redis.port}";
-                }
-
                 symbol = "GENERIC_REPUTATION";
               }
             }