diff --git a/src/infra_version.js b/src/infra_version.js
index a2302cf74..970c38721 100644
--- a/src/infra_version.js
+++ b/src/infra_version.js
@@ -20,7 +20,7 @@ exports = module.exports = {
         'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:4.1.1@sha256:86e4e2f4fd43809efca7c9cb1def4d7608cf36cb9ea27052f9b64da4481db43a' },
         'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:4.0.2@sha256:9df297ccc3370f38c54f8d614e214e082b363777cd1c6c9522e29663cc8f5362' },
         'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:3.0.4@sha256:5c60de75d078ae609da5565f32dcd91030f45907e945756cc976ff207b8c6199' },
-        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:3.4.0@sha256:af6003e6b7909e9763402a376af66441d00aceb96c2ab46d51f6247686fe95bb' },
+        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:3.4.0@sha256:f484702cea26915b9a2501e11710d8975460c5070ee0b7175ae9afc788512f0e' },
         'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:3.0.1@sha256:bed9f6b5d06fe2c5289e895e806cfa5b74ad62993d705be55d4554a67d128029' },
         'sftp': { repo: 'cloudron/sftp', tag: 'cloudron/sftp:3.4.1@sha256:13e066fcd52230f23244c16fdd2f7aa447a91e98ff703269f48b1afe3b393e31' }
     }
diff --git a/src/mail.js b/src/mail.js
index 1bb790c16..eb8a41eb4 100644
--- a/src/mail.js
+++ b/src/mail.js
@@ -697,6 +697,9 @@ async function configureMail(mailFqdn, mailDomain, serviceConfig) {
     if (!safe.child_process.execSync(`cp ${bundle.certFilePath} ${mailCertFilePath}`)) throw new BoxError(BoxError.FS_ERROR, 'Could not create cert file:' + safe.error.message);
     if (!safe.child_process.execSync(`cp ${bundle.keyFilePath} ${mailKeyFilePath}`)) throw new BoxError(BoxError.FS_ERROR, 'Could not create key file:' + safe.error.message);
 
+    // if the 'yellowtent' user of OS and the 'cloudron' user of mail container don't match, the keys become inaccessible by mail code
+    if (!safe.fs.chmodSync(mailKeyFilePath, 0o644)) throw new BoxError(BoxError.FS_ERROR, `Could not chmod key file: ${safe.error.message}`);
+
     await shell.promises.exec('stopMail', 'docker stop mail || true');
     await shell.promises.exec('removeMail', 'docker rm -f mail || true');
 
@@ -722,7 +725,7 @@ async function configureMail(mailFqdn, mailDomain, serviceConfig) {
                 -e CLOUDRON_RELAY_TOKEN="${relayToken}" \
                 -e LOGLEVEL=${logLevel} \
                 -v "${paths.MAIL_DATA_DIR}:/app/data" \
-                -v "${paths.MAIL_CONFIG_DIR}:/etc/mail" \
+                -v "${paths.MAIL_CONFIG_DIR}:/etc/mail:ro" \
                 ${ports} \
                 --label isCloudronManaged=true \
                 ${readOnly} -v /run -v /tmp ${tag} ${cmd}`;