diff --git a/.github/workflows/test-and-deploy-ipv4only.yaml b/.github/workflows/test-and-deploy-ipv4only.yaml
index 0480ec90..a60180e5 100644
--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -49,7 +49,7 @@ jobs:
             -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
             -H "Content-Type: application/json" \
             -d '{"image":"debian-12"}' \
-            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"
+            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_IPV4_SERVER_ID }}/actions/rebuild"
 
       - run: scripts/initenv.sh
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c7f5932d..58cf350c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,9 @@
 - use old crypt lib in python < 3.11
   ([#483](https://github.com/deltachat/chatmail/pull/483))
 
+- chatmaild: set umask to 0700 for doveauth + metadata
+  ([#490](https://github.com/deltachat/chatmail/pull/492))
+
 - remove MTA-STS daemon
   ([#488](https://github.com/deltachat/chatmail/pull/488))
 
diff --git a/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f b/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
index b178819d..968b4885 100644
--- a/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
+++ b/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
@@ -7,6 +7,7 @@ Restart=always
 RestartSec=30
 User=vmail
 RuntimeDirectory=chatmail-metadata
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
diff --git a/cmdeploy/src/cmdeploy/service/doveauth.service.f b/cmdeploy/src/cmdeploy/service/doveauth.service.f
index 657430d3..9d858960 100644
--- a/cmdeploy/src/cmdeploy/service/doveauth.service.f
+++ b/cmdeploy/src/cmdeploy/service/doveauth.service.f
@@ -7,6 +7,7 @@ Restart=always
 RestartSec=30
 User=vmail
 RuntimeDirectory=doveauth
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target