diff --git a/opensmtpd.service b/opensmtpd.service
index d90b65a..7832dc3 100644
--- a/opensmtpd.service
+++ b/opensmtpd.service
@@ -6,6 +6,19 @@ Conflicts=sendmail.service postfix.service exim.service
 [Service]
 Type=forking
 ExecStart=/usr/sbin/smtpd
+ProtectSystem=strict
+ProtectHome=read-only
+PrivateTmp=true
+PrivateDevices=true
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+ReadWritePaths=/var/spool/mail /var/spool/smtpd /var/run /run
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+KeyringMode=private
 
 [Install]
 WantedBy=multi-user.target
diff --git a/opensmtpd.spec b/opensmtpd.spec
index 833cba3..9be2b77 100644
--- a/opensmtpd.spec
+++ b/opensmtpd.spec
@@ -10,7 +10,7 @@
 Summary:	Free implementation of the server-side SMTP protocol as defined by RFC 5321
 Name:		opensmtpd
 Version:	6.8.0p2
-Release:	1%{?prerelease:.%{prerelease}}%{?dist}
+Release:	2%{?prerelease:.%{prerelease}}%{?dist}
 
 License:	ISC
 URL:		http://www.opensmtpd.org/
@@ -147,6 +147,9 @@ touch %{buildroot}/%{_mandir}/man8/makemap.8
 # fix aliases path in the config
 sed -i -e 's|/etc/mail/aliases|/etc/aliases|g' %{buildroot}/%{_sysconfdir}/opensmtpd/smtpd.conf
 
+# set mbox delivery method
+sed -i -e 's|^action "local" maildir|action "local" mbox|g' %{buildroot}/%{_sysconfdir}/opensmtpd/smtpd.conf
+
 %pre
 getent group smtpd &>/dev/null || %{_sbindir}/groupadd -r smtpd
 getent group smtpq &>/dev/null || %{_sbindir}/groupadd -r smtpq
@@ -158,10 +161,6 @@ exit 0
 
 %post
 %systemd_post %{name}.service
-# fix broken mta-makemapman
-[ -f "/var/lib/alternatives/mta" ] && \
-	sed -i -e 's|/usr/share/man/man1/makemap.1.gz|/usr/share/man/man8/makemap.8.gz|g' /var/lib/alternatives/mta
-
 %{_sbindir}/alternatives --install %{_sbindir}/sendmail mta %{_sbindir}/sendmail.opensmtpd 10 \
 	--slave %{_bindir}/mailq mta-mailq %{_bindir}/mailq.opensmtpd \
 	%if 0%{?_with_pam}
@@ -251,6 +250,10 @@ exit 0
 
 
 %changelog
+* Fri Nov 05 2021 Denis Fateyev <denis@fateyev.com> - 6.8.0p2-2
+- Add hardened security settings to service
+- Set "mbox" delivery method usage by default
+
 * Wed Jan 20 2021 Denis Fateyev <denis@fateyev.com> - 6.8.0p2-1
 - Update to 6.8.0p2 release