diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
index c0b8b3570c07..a60f47f63932 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
@@ -174,7 +174,10 @@ in
       EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
       RuntimeDirectory = "prometheus-mail-exporter";
       ExecStartPre = [
-        "${pkgs.envsubst}/bin/envsubst -i ${configFile} -o \${RUNTIME_DIRECTORY}/mail-exporter.json"
+        "${pkgs.writeShellScript "subst-secrets-mail-exporter" ''
+          umask 0077
+          ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/mail-exporter.json
+        ''}"
       ];
       ExecStart = ''
         ${pkgs.prometheus-mail-exporter}/bin/mailexporter \