diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix
index 7d1b16c..523670b 100644
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@@ -310,12 +310,15 @@ in {
             '';
           in
             lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains);
+
+          unitConfig.JoinsNamespaceOf = "stalwart-mail.service"; # allow access to sieve script
+
           serviceConfig = {
             Type = "oneshot";
             User = "stalwart-mail";
             NoNewPrivileges = true;
             # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
-            PrivateTmp = false; # allow access to sieve script
+            PrivateTmp = true;
             ProtectHome = true;
             ReadOnlyPaths = "/";
             ReadWritePaths = "/tmp";
@@ -337,36 +340,8 @@ in {
         # This service is defined by the nixpkgs stalwart module and we only modify it.
         "stalwart-mail" = {
           restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
-          serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
-          serviceConfig.ProtectSystem = lib.mkForce "full"; # "strict" does not allow writing to /tmp which we need for unpacking the webadmin interface. "full" is less strict.
-        };
-        "virt-aliases-generator" = {
-          description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";
-          script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]);
-          wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed.
-          serviceConfig = {
-            Type = "oneshot";
-            User = "stalwart-mail";
-            NoNewPrivileges = true;
-            # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
-            PrivateTmp = false;
-            ProtectHome = true;
-            ReadOnlyPaths = "/";
-            ReadWritePaths = "/tmp";
-            InaccessiblePaths = "-/lost+found";
-            PrivateDevices = true;
-            PrivateUsers = true;
-            ProtectHostname = true;
-            ProtectClock = true;
-            ProtectKernelTunables = true;
-            ProtectKernelModules = true;
-            ProtectKernelLogs = true;
-            ProtectControlGroups = true;
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
-            RestrictRealtime = true;
-            RestrictSUIDSGID = true;
-          };
+          #Generate a sieve script from the virtual alias file
+          preStart = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]);
         };
       };
     };