diff --git a/hosts/falkenstein/modules/mail/rspamd.nix b/hosts/falkenstein/modules/mail/rspamd.nix
index d2ce916..f53b21a 100644
--- a/hosts/falkenstein/modules/mail/rspamd.nix
+++ b/hosts/falkenstein/modules/mail/rspamd.nix
@@ -7,7 +7,7 @@
       postfix.enable = true;
       locals = {
         "worker-controller.inc".text = ''
-          password = "$2$g1jh7t5cxschj11set5wksd656ixd5ie$cgwrj53hfb87xndqbh5r3ow9qfi1ejii8dxok1ihbnhamccn1rxy";
+          secure_ip = "0.0.0.0/0";
         '';
         "redis.conf".text = ''
           read_servers = "/run/redis-rspamd/redis.sock";
@@ -39,6 +39,18 @@
       };
     };
     caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
+
+      # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
+      reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 
+
+      # forward authentication to authentik
+      forward_auth http://nuc.vpn.rfive.de:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+      }
+
       reverse_proxy 127.0.0.1:11334
     '';
   };
diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix
index 3043588..6913f98 100644
--- a/hosts/nuc/modules/authentik/default.nix
+++ b/hosts/nuc/modules/authentik/default.nix
@@ -20,4 +20,6 @@ in
   services.caddy.virtualHosts."${domain}".extraConfig = ''
     reverse_proxy localhost:9000
   '';
+  # open the firewall for proxy auth
+  networking.firewall.allowedTCPPorts = [ 9000 ];
 }