diff --git a/services.mail.yml b/services.mail.yml
index 41e58b5c20c15ce539522e27dcdf112e07103044..cfd05a07c38747a95f40f3a92b5cb20d2426cedd 100644
--- a/services.mail.yml
+++ b/services.mail.yml
@@ -53,6 +53,7 @@ mail-backend:
         DOMAIN: "{{ domain_public[0] }}"
         SHARD_ID: "{{ shard_id | default('') }}"
         APACHE_PORT: 8084
+      egress_policy: internal
   public_endpoints:
     - name: webmail
       port: 8084
@@ -129,6 +130,7 @@ mailman:
         API_PORT: 6088
       resources:
         ram: "4G"
+      egress_policy: internal
   monitoring_endpoints:
     - job_name: mailman
       port: 8187
@@ -206,6 +208,7 @@ helpdesk:
         SMTP_PORT: 3825
         SMTP_EHLO: "rt4.{{ domain }}"
         SMTP_RULES: "{% for q in helpdesk_queues | default([]) %}{% if not loop.first %};{% endif %}{{ q.name }}@helpdesk\\.{{ domain | regex_escape }}: spamc -u rt4 --log-to-stderr --pipe-to /usr/bin/rt-mailgate --url http://localhost:3881/rt --queue {{ q.name }} --action correspond;{{ q.name }}-comment@helpdesk\\.{{ domain | regex_escape }}: spamc -u rt4 --log-to-stderr --pipe-to /usr/bin/rt-mailgate --url http://localhost:3881/rt --queue {{ q.name }} --action comment{% endfor %}"
+      egress_policy: internal
   monitoring_endpoints:
     - job_name: mariadb-helpdesk
       port: 9337
@@ -268,6 +271,7 @@ feedback-loop:
         PORT: 5490
         APP_CONFIG: /etc/feedback-loop.yml
       port: 5490
+      egress_policy: internal
   public_endpoints:
     - name: feedback-loop
       port: 5490