diff --git a/scripts/80-app.sh b/scripts/80-app.sh
index bb9f3cf..36065ef 100644
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@@ -172,11 +172,12 @@ setfacl -dR -m u:www-data:rwx,u:${APP_USER}:rwx storage bootstrap/cache || true
 log "[✓] Schreibrechte für Laravel korrigiert."
 
 # --- DKIM: Verzeichnisse & Basisrechte --------------------------------------
-# Laravel-Storage: private/dkim von mailwolt beschreibbar
-install -d -m 0770 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage/app/private"
-install -d -m 0770 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage/app/private/dkim"
+install -d -m 2775 -o "$APP_USER" -g www-data "$APP_DIR/storage/app/private"
+install -d -m 2775 -o "$APP_USER" -g www-data "$APP_DIR/storage/app/private/dkim"
+setfacl -R  -m u:${APP_USER}:rwx,u:www-data:rwx "$APP_DIR/storage/app/private" || true
+setfacl -dR -m u:${APP_USER}:rwx,u:www-data:rwx "$APP_DIR/storage/app/private" || true
 
-# OpenDKIM: keys & dns-Verzeichnis
+# --- OpenDKIM: keys & DNS-Verzeichnis --------------------------------------
 install -d -m 0750 -o opendkim -g opendkim /etc/opendkim
 install -d -m 0750 -o opendkim -g opendkim /etc/opendkim/keys
 install -d -m 0755 -o root     -g root     /etc/mailwolt
diff --git a/scripts/90-services.sh b/scripts/90-services.sh
index 0521d39..85f5098 100644
--- a/scripts/90-services.sh
+++ b/scripts/90-services.sh
@@ -24,6 +24,7 @@ StandardOutput=append:/var/log/${APP_USER}-ws.log
 StandardError=append:/var/log/${APP_USER}-ws.log
 KillSignal=SIGINT
 TimeoutStopSec=15
+UMask=0002
 [Install]
 WantedBy=multi-user.target
 EOF
@@ -47,6 +48,7 @@ StandardOutput=append:/var/log/${APP_USER}-schedule.log
 StandardError=append:/var/log/${APP_USER}-schedule.log
 KillSignal=SIGINT
 TimeoutStopSec=15
+UMask=0002
 [Install]
 WantedBy=multi-user.target
 EOF
@@ -70,6 +72,7 @@ StandardOutput=append:/var/log/${APP_USER}-queue.log
 StandardError=append:/var/log/${APP_USER}-queue.log
 KillSignal=SIGINT
 TimeoutStopSec=15
+UMask=0002
 [Install]
 WantedBy=multi-user.target
 EOF