diff --git a/plinth/modules/email_server/audit/ldap.py b/plinth/modules/email_server/audit/ldap.py
index 3b2376789..f5cf9bf3a 100644
--- a/plinth/modules/email_server/audit/ldap.py
+++ b/plinth/modules/email_server/audit/ldap.py
@@ -1,6 +1,8 @@
 """Audit of LDAP and mail submission settings"""
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+import logging
+
 from plinth import actions
 
 import plinth.modules.email_server.postconf as postconf
@@ -26,6 +28,20 @@ default_submission_options = {
     'smtpd_relay_restrictions': 'permit_sasl_authenticated,reject'
 }
 
+smtps_flags = postconf.ServiceFlags(
+    service='smtps', type='inet', private='n', unpriv='-', chroot='y',
+    wakeup='-', maxproc='-', command_args='smtpd'
+)
+
+default_smtps_options = {
+    'syslog_name': 'postfix/smtps',
+    'smtpd_tls_wrappermode': 'yes',
+    'smtpd_sasl_auth_enable': 'yes',
+    'smtpd_relay_restrictions': 'permit_sasl_authenticated,reject'
+}
+
+logger = logging.getLogger(__name__)
+
 
 def get():
     """Compare current values with the default. Generate an audit report
@@ -47,7 +63,13 @@ def repair():
     Recommended endpoint name:
     POST /audit/ldap/repair
     """
+    logger.debug('Updating postconf: %r', default_config)
     actions.superuser_run('email_server', ['ipc', 'set_sasl'])
+
+    logger.debug('Setting up postfix %s service in master.cf: %r',
+                 submission_flags.service, default_submission_options)
+    logger.debug('And postfix %s service: %r', smtps_flags.service,
+                 default_smtps_options)
     actions.superuser_run('email_server', ['ipc', 'set_submission'])
 
 
@@ -60,3 +82,5 @@ def action_set_submission():
     """Called by email_server ipc set_submission"""
     postconf.set_master_cf_options(service_flags=submission_flags,
                                    options=default_submission_options)
+    postconf.set_master_cf_options(service_flags=smtps_flags,
+                                   options=default_smtps_options)
diff --git a/plinth/modules/email_server/audit/models.py b/plinth/modules/email_server/audit/models.py
index ec91a9280..de64a36c5 100644
--- a/plinth/modules/email_server/audit/models.py
+++ b/plinth/modules/email_server/audit/models.py
@@ -25,7 +25,7 @@ class Result:
 
     def write_logs(self):
         """Log errors and failures"""
-        logger.debug('Ran audit: ' + self.title)
+        logger.debug('Ran audit: %s', self.title)
         for message in self.errors:
             logger.critical(message)
         for message in self.fails:
diff --git a/plinth/modules/email_server/lock.py b/plinth/modules/email_server/lock.py
index 27f21c124..0d812df9c 100644
--- a/plinth/modules/email_server/lock.py
+++ b/plinth/modules/email_server/lock.py
@@ -2,11 +2,14 @@
 import contextlib
 import errno
 import fcntl
+import logging
 import os
 import pwd
 import threading
 import time
 
+logger = logging.getLogger(__name__)
+
 
 class Mutex:
     """File and pthread lock based resource mutex"""
@@ -18,7 +21,8 @@ class Mutex:
     @contextlib.contextmanager
     def lock_threads_only(self):
         """Acquire the thread lock but not the file lock"""
-        self.thread_mutex.acquire(timeout=5)
+        if not self.thread_mutex.acquire(timeout=5):
+            raise RuntimeError('Could not acquire thread lock')
         try:
             yield
         finally:
@@ -65,7 +69,10 @@ class Mutex:
             fd.truncate(0)
             os.fchown(fd.fileno(), user_info.pw_uid, user_info.pw_gid)
         else:
-            self._try(lambda: os.fchmod(fd.fileno(), 0o660))  # rw-rw----
+            errno, _ = self._try(lambda: os.fchmod(fd.fileno(), 0o660))
+            if errno != 0:
+                logger.warning('chmod failed, lock path %s, errno %d',
+                               self.lock_path, errno)
 
     def _try(self, function):
         try: