diff --git a/hosts/mail/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix
index 91939cf..3c23a36 100644
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@@ -14,7 +14,7 @@ let
     auth_bind = no
     ldap_version = 3
     base = ou=users,dc=%Dd
-    user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
+    user_filter = (&(objectClass=mailAccount)(mail=%u))
     user_attrs = \
       quota=quota_rule=*:bytes=%$, \
       =home=/var/vmail/%d/%n/, \
diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix
index bb76d7a..26bf1c5 100644
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@@ -376,12 +376,6 @@ in
               SUBSTR caseIgnoreIA5SubstringsMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
           ''
-          ''
-            (1.3.6.1.4.1.12461.1.1.9 NAME 'mailSendOnly'
-              DESC 'If TRUE, account can only send mail, not receive'
-              EQUALITY caseIgnoreIA5Match
-              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
-          ''
         ];
         olcObjectClasses = [
           ''
@@ -389,14 +383,14 @@ in
               SUP top AUXILIARY
               DESC 'Mail account objects'
               MUST ( mail $ userPassword )
-              MAY ( cn $ description $ quota $ mailSendOnly))
+              MAY (  cn $ description $ quota))
           ''
           ''
             (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
               SUP top STRUCTURAL
               DESC 'Mail aliasing/forwarding entry'
               MUST ( mail $ maildrop )
-              MAY ( cn $ description $ mailSendOnly ))
+              MAY ( cn $ description ))
           ''
           ''
             (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
diff --git a/hosts/mail/modules/postfix.nix b/hosts/mail/modules/postfix.nix
index 8511430..bc9d8ee 100644
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@@ -31,7 +31,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = sub
-    query_filter      = (&(uid=%u)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
+    query_filter      = (&(uid=%u)(objectClass=mailAccount))
     result_attribute  = mail
     debuglevel        = 0
   '';
@@ -73,7 +73,7 @@ let
     bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
     bind_pw           = @ldap-password@
     scope             = one
-    query_filter      = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
+    query_filter      = (&(objectClass=mailAlias)(mail=%s))
     result_attribute  = maildrop
     debuglevel        = 0
   '';
@@ -180,7 +180,6 @@ in
       smtpd_helo_restrictions = "
                             permit_mynetworks,
                             permit_sasl_authenticated,
-                            check_helo_access regexp:/var/lib/postfix/conf/helo_access,
                             reject_unauth_pipelining,
                             reject_non_fqdn_hostname,
                             reject_invalid_hostname,
diff --git a/hosts/mail/modules/rspamd.nix b/hosts/mail/modules/rspamd.nix
index f4253ab..becc93b 100644
--- a/hosts/mail/modules/rspamd.nix
+++ b/hosts/mail/modules/rspamd.nix
@@ -52,13 +52,6 @@ let
         }
       }
     }
-    dmarc {
-      actions {
-        reject = "reject";
-        quarantine = "add header";
-        softfail = "no action";
-      }
-    }
   '';
 
   sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
@@ -70,19 +63,6 @@ in
       .include(priority=1,duplicate=merge) "${localConfig}"
     '';
 
-    locals."groups.conf".text = ''
-      symbols {
-        "R_SPF_DNSFAIL" {
-          weight = 2.0;
-          description = "SPF DNS failure";
-        }
-        "DMARC_DNSFAIL" {
-          weight = 2.0;
-          description = "DMARC DNS failure";
-        }
-      }
-    '';
-
     postfix.enable = true;
     workers.controller = {
       extraConfig = ''
diff --git a/hosts/web-arm/sites/fueltide.io.nix b/hosts/web-arm/sites/fueltide.io.nix
index eee28ae..138952b 100644
--- a/hosts/web-arm/sites/fueltide.io.nix
+++ b/hosts/web-arm/sites/fueltide.io.nix
@@ -21,11 +21,6 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
-    extraConfig = ''
-      add_header Cross-Origin-Embedder-Policy "credentialless" always;
-      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
-    '';
-
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;
@@ -46,11 +41,6 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
-    extraConfig = ''
-      add_header Cross-Origin-Embedder-Policy "credentialless" always;
-      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
-    '';
-
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;
@@ -71,11 +61,6 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILf3KpvY3sG/l5w4phV3qxOnahFpb7op/8y6i3oLWXv"
     ];
 
-    extraConfig = ''
-      add_header Cross-Origin-Embedder-Policy "credentialless" always;
-      add_header Content-Security-Policy "media-src 'self' https://*.supabase.co blob:;" always;
-    '';
-
     locations."/".extraConfig = ''
       index index.html;
       try_files $uri $uri/ /index.html;