diff --git a/hosts/sigma/mail.nix b/hosts/sigma/mail.nix
index db1b734..e78c480 100644
--- a/hosts/sigma/mail.nix
+++ b/hosts/sigma/mail.nix
@@ -80,13 +80,14 @@
     };
   };
 
-  # Only allow mail delivery through through wg-sigma-public. Note that this
-  # does not tell it to use the correct routing table. For proper internet
-  # access, the correct routing table is also configured by
-  # routingPolicyRuleConfig in networking.nix.
+  # Only allow mail delivery through wg-sigma-public. Note that this does not
+  # tell it to use the correct routing table. For proper internet access, the
+  # correct routing table is also configured by routingPolicyRuleConfig in
+  # networking.nix. enp4s0f0 (lan) is additionally allowed to enable sending
+  # mails from lan hosts.
   systemd.services.postfix = {
     serviceConfig = {
-      RestrictNetworkInterfaces = "lo wg-sigma-public";
+      RestrictNetworkInterfaces = "lo enp4s0f0 wg-sigma-public";
     };
   };
 
diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix
index c10e699..1182e25 100644
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@@ -85,27 +85,26 @@
       matchConfig.Name = "wg-sigma-public";
       address = ["49.13.33.75/32"];
       routingPolicyRules = [
-        {
-          # The postfix systemd service has
-          # RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
-          # it to use the correct routing table.
-          routingPolicyRuleConfig = {
-            Priority = 10;
-            User = config.services.postfix.user;
-            Table = "wg-sigma-public";
-          };
-        }
         {
           # Allow hosts on the local network to contact us directly on the
           # public address instead of routing the packet through Wireguard and
           # back again.
           routingPolicyRuleConfig = {
-            Priority = 500;
-            From = "49.13.33.75/32";
+            Priority = 10;
             To = "192.168.0.0/24";
             Table = "main";
           };
         }
+        {
+          # The postfix systemd service has
+          # RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
+          # it to use the correct routing table.
+          routingPolicyRuleConfig = {
+            Priority = 100;
+            User = config.services.postfix.user;
+            Table = "wg-sigma-public";
+          };
+        }
         {
           # See the AllowedIPs comment above for why this is necessary
           routingPolicyRuleConfig = {
@@ -151,7 +150,7 @@
           # RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
           # to use the correct routing table.
           routingPolicyRuleConfig = {
-            Priority = 10;
+            Priority = 100;
             User = config.services.deluge.user;
             Table = "wg-sigma-p2p";
           };