diff --git a/book/src/access_control/intro.md b/book/src/access_control/intro.md
index 48800986d..eb71b5d31 100644
--- a/book/src/access_control/intro.md
+++ b/book/src/access_control/intro.md
@@ -65,6 +65,8 @@ groups.
 | `idm_access_control_admins`  | write access controls                                                   |
 | `idm_account_policy_admins`  | modify account policy requirements for user authentication              |
 | `idm_group_admins`           | create and modify groups                                                |
+| `idm_mail_servers`           | read mail attributes needed to be a mail server                         |
+| `idm_mail_service_admins`    | grant permissions to service accounts to act as mail servers            |
 | `idm_oauth2_admins`          | create and modify OAuth2 integrations                                   |
 | `idm_people_admins`          | create and modify persons                                               |
 | `idm_people_on_boarding`     | create (but not modify) persons. Intended for use with service accounts |
diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs
index f0ee69515..f50ea76ba 100644
--- a/server/lib/src/constants/acp.rs
+++ b/server/lib/src/constants/acp.rs
@@ -1051,6 +1051,41 @@ lazy_static! {
     };
 }
 
+lazy_static! {
+    pub static ref IDM_ACP_MAIL_SERVERS_DL8: BuiltinAcp = BuiltinAcp {
+        classes: vec![
+            EntryClass::Object,
+            EntryClass::AccessControlProfile,
+            EntryClass::AccessControlSearch,
+        ],
+        name: "idm_acp_mail_servers",
+        uuid: UUID_IDM_ACP_MAIL_SERVERS,
+        description:
+            "Builtin IDM Control for MAIL servers to read email addresses and other needed attributes.",
+        receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_MAIL_SERVERS]),
+        target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
+            ProtoFilter::Or(vec![
+                match_class_filter!(EntryClass::Account),
+                match_class_filter!(EntryClass::Group),
+            ]),
+            FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
+        ])),
+        search_attrs: vec![
+            Attribute::Class,
+            Attribute::Name,
+            Attribute::Spn,
+            Attribute::Uuid,
+            Attribute::DisplayName,
+            Attribute::Mail,
+            Attribute::Member,
+            Attribute::DynMember,
+            Attribute::MemberOf,
+            Attribute::GidNumber,
+        ],
+        ..Default::default()
+    };
+}
+
 lazy_static! {
     pub static ref IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1: BuiltinAcp = BuiltinAcp {
         classes: vec![
diff --git a/server/lib/src/constants/groups.rs b/server/lib/src/constants/groups.rs
index 8ad1b64f7..453e0731f 100644
--- a/server/lib/src/constants/groups.rs
+++ b/server/lib/src/constants/groups.rs
@@ -219,7 +219,7 @@ lazy_static! {
     };
 
     /// Builtin IDM Group for RADIUS server access delegation.
-    pub static ref IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
+    pub static ref BUILTIN_IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
         name: "idm_radius_servers",
         description: "Builtin IDM Group for RADIUS server access delegation.",
         uuid: UUID_IDM_RADIUS_SERVERS,
@@ -229,6 +229,26 @@ lazy_static! {
         ..Default::default()
     };
 
+    pub static ref BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
+        name: "idm_mail_service_admins",
+        description: "Builtin Mail Server Administration Group.",
+        uuid: UUID_IDM_MAIL_ADMINS,
+        entry_managed_by: Some(UUID_IDM_ADMINS),
+        members: vec![UUID_IDM_ADMINS],
+        ..Default::default()
+    };
+
+    /// Builtin IDM Group for MAIL server Access delegation.
+    pub static ref BUILTIN_IDM_MAIL_SERVERS_DL8: BuiltinGroup = BuiltinGroup {
+        name: "idm_mail_servers",
+        description: "Builtin IDM Group for MAIL server access delegation.",
+        uuid: UUID_IDM_MAIL_SERVERS,
+        entry_managed_by: Some(UUID_IDM_MAIL_ADMINS),
+        members: vec![
+        ],
+        ..Default::default()
+    };
+
     pub static ref BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS: BuiltinGroup = BuiltinGroup {
         name: "idm_account_policy_admins",
         description: "Builtin Account Policy Administration Group.",
@@ -436,10 +456,12 @@ pub fn idm_builtin_non_admin_groups() -> Vec<&'static BuiltinGroup> {
         &BUILTIN_GROUP_PEOPLE_ON_BOARDING,
         &BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS,
         &BUILTIN_GROUP_APPLICATION_ADMINS,
+        &BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8,
         &IDM_GROUP_ADMINS_V1,
         &IDM_ALL_PERSONS,
         &IDM_ALL_ACCOUNTS,
-        &IDM_RADIUS_SERVERS_V1,
+        &BUILTIN_IDM_RADIUS_SERVERS_V1,
+        &BUILTIN_IDM_MAIL_SERVERS_DL8,
         &IDM_PEOPLE_SELF_WRITE_MAIL_V1,
         // Write deps on read, so write must be added first.
         // All members must exist before we write HP
diff --git a/server/lib/src/constants/uuids.rs b/server/lib/src/constants/uuids.rs
index 8d4739ab0..92ecba6e9 100644
--- a/server/lib/src/constants/uuids.rs
+++ b/server/lib/src/constants/uuids.rs
@@ -69,6 +69,8 @@ pub const UUID_IDM_ACCOUNT_POLICY_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-
 pub const UUID_IDM_PEOPLE_SELF_NAME_WRITE: Uuid = uuid!("00000000-0000-0000-0000-000000000048");
 pub const UUID_IDM_CLIENT_CERTIFICATE_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000049");
 pub const UUID_IDM_APPLICATION_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000050");
+pub const UUID_IDM_MAIL_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000051");
+pub const UUID_IDM_MAIL_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000052");
 
 //
 pub const UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000");
@@ -431,10 +433,10 @@ pub const UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_V1: Uuid = uuid!("00000000-0000-0000-
 pub const UUID_KEY_PROVIDER_INTERNAL: Uuid = uuid!("00000000-0000-0000-0000-ffffff000070");
 pub const UUID_IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER: Uuid =
     uuid!("00000000-0000-0000-0000-ffffff000071");
-
 pub const UUID_IDM_ACP_APPLICATION_ENTRY_MANAGER: Uuid =
     uuid!("00000000-0000-0000-0000-ffffff000072");
 pub const UUID_IDM_ACP_APPLICATION_MANAGE: Uuid = uuid!("00000000-0000-0000-0000-ffffff000073");
+pub const UUID_IDM_ACP_MAIL_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-ffffff000074");
 
 // End of system ranges
 pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");
diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs
index e7fca902c..3d8e12203 100644
--- a/server/lib/src/server/migrations.rs
+++ b/server/lib/src/server/migrations.rs
@@ -617,13 +617,17 @@ impl<'a> QueryServerWriteTransaction<'a> {
             IDM_ACP_SELF_WRITE_DL8.clone().into(),
             IDM_ACP_APPLICATION_MANAGE_DL8.clone().into(),
             IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8.clone().into(),
+            // Add the new types for mail server
+            BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8.clone().try_into()?,
+            BUILTIN_IDM_MAIL_SERVERS_DL8.clone().try_into()?,
+            IDM_ACP_MAIL_SERVERS_DL8.clone().into(),
         ];
 
         idm_data
             .into_iter()
             .try_for_each(|entry| self.internal_migrate_or_create(entry))
             .map_err(|err| {
-                error!(?err, "migrate_domain_6_to_7 -> Error");
+                error!(?err, "migrate_domain_7_to_8 -> Error");
                 err
             })?;