diff --git a/services.mail.yml b/services.mail.yml
index 291fb2e20d570185f8ba77d96d7399c3c4bea909..0864a5c510dd242f840fc49336fd927802ffb74a 100644
--- a/services.mail.yml
+++ b/services.mail.yml
@@ -53,6 +53,7 @@ mail-backend:
         DOMAIN: "{{ domain_public[0] }}"
         SHARD_ID: "{{ shard_id | default('') }}"
         APACHE_PORT: 8084
+      egress_policy: internal
   public_endpoints:
     - name: webmail
       port: 8084
@@ -129,6 +130,7 @@ mailman:
         API_PORT: 6088
       resources:
         ram: "4G"
+      egress_policy: internal
   monitoring_endpoints:
     - job_name: mailman
       port: 8187
@@ -206,6 +208,7 @@ helpdesk:
         SMTP_PORT: 3825
         SMTP_EHLO: "rt4.{{ domain }}"
         SMTP_RULES: "{% for q in helpdesk_queues | default([]) %}{% if not loop.first %};{% endif %}{{ q.name }}@helpdesk\\.{{ domain | regex_escape }}: spamc -u rt4 --log-to-stderr --pipe-to /usr/bin/rt-mailgate --url http://localhost:3881/rt --queue {{ q.name }} --action correspond;{{ q.name }}-comment@helpdesk\\.{{ domain | regex_escape }}: spamc -u rt4 --log-to-stderr --pipe-to /usr/bin/rt-mailgate --url http://localhost:3881/rt --queue {{ q.name }} --action comment{% endfor %}"
+      egress_policy: internal
   monitoring_endpoints:
     - job_name: mariadb-helpdesk
       port: 9337
@@ -267,6 +270,7 @@ feedback-loop:
         PORT: 5490
         APP_CONFIG: /etc/feedback-loop.yml
       port: 5490
+      egress_policy: internal
   public_endpoints:
     - name: feedback-loop
       port: 5490