diff --git a/conf/mailinabox.service b/conf/mailinabox.service
index c1d98a03..fb5e9008 100644
--- a/conf/mailinabox.service
+++ b/conf/mailinabox.service
@@ -5,6 +5,16 @@ After=multi-user.target
 [Service]
 Type=idle
 IgnoreSIGPIPE=False
+ProtectSystem=yes
+ProtectHome=read-only
+ReadWritePaths=STORAGE_ROOT
+PrivateDevices=yes
+PrivateNetwork=no
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+SyslogIdentifier=mailinabox
 ExecStart=/usr/local/lib/mailinabox/start
 
 [Install]
diff --git a/setup/management.sh b/setup/management.sh
index 60a313c4..7c9a8647 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -109,6 +109,7 @@ exec gunicorn -b localhost:10222 -w 1 wsgi:app
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
+sed -i "s|STORAGE_ROOT|$STORAGE_ROOT|g" /lib/systemd/system/mailinabox.service
 hide_output systemctl link -f /lib/systemd/system/mailinabox.service
 hide_output systemctl daemon-reload
 hide_output systemctl enable mailinabox.service