diff --git a/applications/email.nix b/applications/email.nix
index 76c2117..459dab8 100644
--- a/applications/email.nix
+++ b/applications/email.nix
@@ -1,6 +1,15 @@
 { config, pkgs, lib, ...}: with lib;
   let
     cfg = config.services.skynet_email;
+
+    # create teh new strings
+    create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
+
+    create_filter_join = (x: concatStringsSep "" x);
+
+    # thought you could escape racket?
+    create_filter = (groups: create_filter_join (create_filter_array groups) );
+
   in {
 
   imports = [
@@ -31,7 +40,7 @@
 
     domain = mkOption {
       type = types.str;
-      default = "ulcompsoc.ie";
+      default = "skynet.ie";
       description = lib.mdDoc "domaino";
     };
 
@@ -41,6 +50,19 @@
       description = lib.mdDoc "mailserver subdomain";
     };
 
+    groups = mkOption {
+      type = types.listOf types.str;
+      default = [
+        # general skynet users
+        "skynet-users"
+        # C&S folsk get access
+        "skynet-cns"
+        # skynet service accounts
+        "skynet-service"
+      ];
+      description = lib.mdDoc "Groups we want to allow access to the email";
+    };
+
     ldap = {
       hosts = mkOption {
         type = types.listOf types.str;
@@ -69,7 +91,6 @@
       };
 
     };
-
   };
 
   config = mkIf cfg.enable {
@@ -102,12 +123,8 @@
         cfg.domain
       ];
 
-      #hierarchySeparator = "/";
-
-      # 100MB max size
-      messageSizeLimit = 100000000;
-
-      #localDnsResolver = false;
+      # 20MB max size
+      messageSizeLimit = 20000000;
 
       ldap = {
         enable = true;
@@ -116,37 +133,25 @@
           dn = cfg.ldap.bind_dn;
           passwordFile = config.age.secrets.ldap_pw.path;
         };
+
         searchBase = cfg.ldap.searchBase;
         searchScope = "sub";
 
-
         dovecot = {
-          #userAttrs = "uidNumber=uid,gidNumber=gid,skMail=mail";
-          # use the set email account
-          #userFilter = "(&(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))(uid=%n))";
-          #userFilter = "(&(objectClass=posixAccount)(uid=%u))";
           userFilter = "(skMail=%u)";
 
-          # "fix" until userAttrs is fixed
-          #passAttrs = ''uid=user,userPassword=password
-          #user_attrs = uidNumber=uid,gidNumber=gid,mail=/var/vmail/%u/%d
-          #'';
-          passFilter  = "(skMail=%u)";
+          # accept emails in, but only allow access to paid up members
+          passFilter  = "(&(|${create_filter cfg.groups})(skMail=%u))";
         };
 
         postfix = {
           filter = "(skMail=%s)";
-
-          # these may be reversed???
-          # https://gist.github.com/calbrecht/bca39174f39a74e52a6d05bf630ad495
           uidAttribute = "skMail";
           mailAttribute = "skMail";
         };
 
-
       };
 
-
       # feckin spammers
       rejectRecipients = [
 
diff --git a/flake.lock b/flake.lock
index c1003f7..1ebe789 100644
--- a/flake.lock
+++ b/flake.lock
@@ -280,11 +280,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1684569145,
-        "narHash": "sha256-Dr8KAgjiGuigTgEp7zFO08zPA5o0RxzoPad+oDtg/G0=",
+        "lastModified": 1688416558,
+        "narHash": "sha256-v9UudcBYAHssB+e6Mip+5dOClFlPwy80wJjbpUMomJk=",
         "owner": "mweinelt",
         "repo": "nixos-mailserver",
-        "rev": "5d13cf0550bd5b201b28f116acc5f4b19dd5d753",
+        "rev": "a1c985f325300fc8bca3e8dfe5a9676c10ab1055",
         "type": "gitlab"
       },
       "original": {
diff --git a/machines/gir.nix b/machines/gir.nix
index 9886c6b..5b28030 100644
--- a/machines/gir.nix
+++ b/machines/gir.nix
@@ -53,5 +53,7 @@ in {
       # the name is used for dns
       name = name;
     };
+
+    domain = "ulcompsoc.ie";
   };
 }