diff --git a/roles/mailserver_database/defaults/main/plain.yml b/roles/mailserver_database/defaults/main/plain.yml
index b5a59a5..fb47d69 100644
--- a/roles/mailserver_database/defaults/main/plain.yml
+++ b/roles/mailserver_database/defaults/main/plain.yml
@@ -8,10 +8,10 @@ mailserver_database:
   ro_user:
     name: mailserver
     pwd: "{{ vault_mailserver_database.ro_user.pwd }}"
-  # Create pwd hashes with `doveadm pw -s BLF-CRYPT`
   virtual_users:
     - name: "{{ ansible_facts['env']['USER'] }}"
-      pwd: '{BLF-CRYPT}$2y$05$9rYhnwHxmu9nqLHyxE/JoOjAds22PQAM42cJr.sRtdzmFBykyUy3S'
+      # same as `doveadm pw -s BLF-CRYPT -p foo`
+      pwd: "{BLF-CRYPT}{{ 'foo' | password_hash('blowfish') }}"
   virtual_aliases:
     - source: abuse
       destination: "{{ ansible_facts['env']['USER'] }}"
diff --git a/roles/mailserver_database/tasks/main.yml b/roles/mailserver_database/tasks/main.yml
index d5b134e..61e4558 100644
--- a/roles/mailserver_database/tasks/main.yml
+++ b/roles/mailserver_database/tasks/main.yml
@@ -34,7 +34,7 @@
   ansible.builtin.template:
     src: tables.sql.j2
     dest: ~/mailserver_tables.sql
-    mode: "644"
+    mode: "600"
   notify: Create postgresql tables
 
 - name: Make sure tables are created before setting permissions