diff --git a/Makefile b/Makefile
index 9aff346..67ff705 100644
--- a/Makefile
+++ b/Makefile
@@ -14,10 +14,10 @@ requirements.txt: Pipfile.lock
 	pipenv requirements > requirements.txt
 
 build: clean requirements.txt
-	python3 -m pip install -r requirements.txt --target build
+	python3 -m pip install -r requirements.txt --no-compile --target build
 	cp -r mail4one/ build/
 	sed -i "s/DEVELOMENT/$(shell scripts/get_version.sh)/" build/mail4one/version.py
-	python3 -m compileall build/mail4one -f
+	rm -rf build/mail4one/__pycache__
 	rm -rf build/*.dist-info
 	python3 -m zipapp \
 		--output mail4one.pyz \
diff --git a/deploy_configs/mail4one.service b/deploy_configs/mail4one.service
index 08bbcc8..10bb51e 100644
--- a/deploy_configs/mail4one.service
+++ b/deploy_configs/mail4one.service
@@ -9,14 +9,19 @@ Requires=network-online.target
 [Service]
 User=mail4one
 ExecStart=/usr/local/bin/mail4one --config /etc/mail4one/config.json
-PrivateTmp=true
-ProtectSystem=full
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 
-StateDirectory=mail4one
+StateDirectory=mail4one/certs mail4one/mails
+StateDirectoryMode=0750
+UMask=
 LogsDirectory=mail4one
 WorkingDirectory=/var/lib/mail4one
+
+ProtectSystem=strict
+PrivateTmp=true
+PrivateUsers=true
 ProtectHome=yes
+NoNewPrivileges=yes
 
 [Install]
 WantedBy=multi-user.target
diff --git a/deploy_configs/mail4one_cert_copy.sh b/deploy_configs/mail4one_cert_copy.sh
index fac73c3..8e27527 100755
--- a/deploy_configs/mail4one_cert_copy.sh
+++ b/deploy_configs/mail4one_cert_copy.sh
@@ -10,7 +10,7 @@ set -x
 if [ "$RENEWED_DOMAINS" = "mail.mydomain.com" ]
 then
 		mkdir -p /var/lib/mail4one/certs
-		chmod 500 /var/lib/mail4one/certs
+		chmod 750 /var/lib/mail4one/certs
 		chown mail4one:mail4one /var/lib/mail4one/certs
 		cp "$RENEWED_LINEAGE/fullchain.pem" /var/lib/mail4one/certs/
 		cp "$RENEWED_LINEAGE/privkey.pem" /var/lib/mail4one/certs/