diff --git a/data/hooks/conf_regen/01-yunohost b/data/hooks/conf_regen/01-yunohost
index 61951fe5f..767bc419b 100755
--- a/data/hooks/conf_regen/01-yunohost
+++ b/data/hooks/conf_regen/01-yunohost
@@ -85,6 +85,23 @@ do_post_regen() {
   # Enfore permissions #
   ######################
 
+  chmod 750 /home/admin
+  if [ -d /home/yunohost.backup ]
+  then
+    chmod 750 /home/yunohost.backup
+    chown admin:root /home/yunohost.backup
+  fi
+  if [ -d /home/yunohost.backup/archives ]
+  then
+    chmod 750 /home/yunohost.backup/archives
+    chown admin:root /home/yunohost.backup/archives
+  fi
+  if [ -d /home/yunohost.conf ]
+  then
+    chmod 750 /home/yunohost.conf
+    chown root:root /home/yunohost.conf
+  fi
+
   # Certs
   # We do this with find because there could be a lot of them...
   chown -R root:ssl-cert /etc/yunohost/certs
@@ -92,6 +109,20 @@ do_post_regen() {
   find /etc/yunohost/certs/ -type f -exec chmod 640 {} \;
   find /etc/yunohost/certs/ -type d -exec chmod 750 {} \;
 
+  find /etc/cron.*/yunohost-* -type f -exec chmod 755 {} \;
+  find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \;
+  find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \;
+
+  chown root:root /var/cache/yunohost
+  chmod 700 /var/cache/yunohost
+  chown root:root /var/cache/moulinette
+  chmod 700 /var/cache/moulinette
+
+  setfacl -m g:all_users:--- /var/www
+  setfacl -m g:all_users:--- /var/log/nginx
+  setfacl -m g:all_users:--- /etc/yunohost
+  setfacl -m g:all_users:--- /etc/ssowat
+
   # Misc configuration / state files
   chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
   chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome
index 31d11555a..ca5d5dc82 100755
--- a/data/hooks/conf_regen/12-metronome
+++ b/data/hooks/conf_regen/12-metronome
@@ -52,11 +52,14 @@ do_post_regen() {
     mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
     # http_upload directory must be writable by metronome and readable by nginx
     mkdir -p  "/var/xmpp-upload/${domain}/upload"
+    # sgid bit allows that file created in that dir will be owned by www-data
+    # despite the fact that metronome ain't in the www-data group
     chmod g+s "/var/xmpp-upload/${domain}/upload"
-    chown -R metronome:www-data "/var/xmpp-upload/${domain}"
   done
 
   # fix some permissions
+  [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
+  [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"
 
   # metronome should be in ssl-cert group to let it access SSL certificates
   usermod -aG ssl-cert metronome
diff --git a/data/hooks/conf_regen/25-dovecot b/data/hooks/conf_regen/25-dovecot
index 46c9bdf3e..ce2722bf4 100755
--- a/data/hooks/conf_regen/25-dovecot
+++ b/data/hooks/conf_regen/25-dovecot
@@ -41,7 +41,10 @@ do_post_regen() {
 
   # create vmail user
   id vmail > /dev/null 2>&1 \
-    || adduser --system --ingroup mail --uid 500 vmail
+    || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
+
+  # Delete legacy home for vmail that existed in the past but was empty, poluting /home/
+  [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail
 
   # fix permissions
   chown -R vmail:mail /etc/dovecot/global_script