diff --git a/src/internal/controller/zitadelcluster_controller.go b/src/internal/controller/zitadelcluster_controller.go
index b8caf35..77c0d2c 100644
--- a/src/internal/controller/zitadelcluster_controller.go
+++ b/src/internal/controller/zitadelcluster_controller.go
@@ -465,27 +465,29 @@ func (r *ZitadelClusterReconciler) reconcileSMTPConfig(ctx context.Context, zita
 			Host:          zitadel.Spec.SMTPConfig.Host,
 			Id:            resp.SmtpConfig.Id,
 		}
-
+		var password *string
 		if zitadel.Spec.SMTPConfig.User != nil && zitadel.Spec.SMTPConfig.Password != nil {
+
+			passwordSecret, err := r.RefResolver.SecretKeyRef(ctx, zitadel.Spec.SMTPConfig.Password.SecretKeyRef, zitadel.Namespace)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+			password = &passwordSecret
 			adminRequest.User = *zitadel.Spec.SMTPConfig.User
 		}
 		if zitadel.Spec.SMTPConfig.ReplyToAddress != nil {
 			adminRequest.ReplyToAddress = *zitadel.Spec.SMTPConfig.ReplyToAddress
 		}
 
-		passwordSecret, err := r.RefResolver.SecretKeyRef(ctx, zitadel.Spec.SMTPConfig.Password.SecretKeyRef, zitadel.Namespace)
-		if err != nil {
-			return ctrl.Result{}, err
-		}
 		if _, err = adminClient.UpdateSMTPConfig(ctx, adminRequest); err != nil {
 			if !strings.Contains(err.Error(), "No changes") {
 				return ctrl.Result{}, fmt.Errorf("Could not update SMTP config: %v", err)
 			}
 		}
 		smtpId = resp.SmtpConfig.Id
-		if zitadel.Spec.SMTPConfig.Password != nil {
+		if password != nil {
 			if _, err = adminClient.UpdateSMTPConfigPassword(ctx, &adm.UpdateSMTPConfigPasswordRequest{
-				Password: passwordSecret,
+				Password: *password,
 			}); err != nil {
 				if !strings.Contains(err.Error(), "No changes") {
 					return ctrl.Result{}, fmt.Errorf("Could not update SMTP config: %v", err)