diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix
index 0bbf2df48d4..98d9e925dcd 100644
--- a/nixos/modules/services/mail/spamassassin.nix
+++ b/nixos/modules/services/mail/spamassassin.nix
@@ -126,22 +126,19 @@ in
     };
 
     systemd.services.sa-update = {
+      # Needs to be able to contact the update server.
       wants = [ "network-online.target" ];
       after = [ "network-online.target" ];
-      script = ''
-        set +e
-        ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd
 
-        v=$?
-        set -e
-        if [ $v -gt 1 ]; then
-          echo "sa-update execution error"
-          exit $v
-        fi
-        if [ $v -eq 0 ]; then
-          systemctl reload spamd.service
-        fi
-      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "spamd";
+        Group = "spamd";
+        StateDirectory = "spamassassin";
+        ExecStart = "${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=%S/spamassassin/sa-update-keys/";
+        ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service";
+        SuccessExitStatus = "1";
+      };
     };
 
     systemd.timers.sa-update = {
@@ -154,43 +151,22 @@ in
       };
     };
 
-    systemd.services.spamd-init = {
-      serviceConfig = {
-        Type = "oneshot";
-      };
-      script = ''
-        mkdir -p /var/lib/spamassassin
-        chown spamd:spamd /var/lib/spamassassin -R
-        if [ "$(ls -A /var/lib/spamassassin)" = "" ]; then
-          echo "'/var/lib/spamassassin' is empty, running sa-update..."
-          set +e
-          ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd
-          v=$?
-          set -e
-          # 0 and 1 no error, exitcode > 1 means error:
-          # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
-          if [ $v -gt 1 ]; then
-            echo "sa-update execution error"
-            exit $v
-          fi
-          echo "sa-update run successfully."
-        fi
-      '';
-    };
-
     systemd.services.spamd = {
       description = "SpamAssassin Server";
 
       wantedBy = [ "multi-user.target" ];
-      wants = [ "spamd-init.service" ];
+      wants = [ "sa-update.service" ];
       after = [
         "network.target"
-        "spamd-init.service"
+        "sa-update.service"
       ];
 
       serviceConfig = {
-        ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        User = "spamd";
+        Group = "spamd";
+        ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid";
+        ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        StateDirectory = "spamassassin";
       };
     };
   };