From cc1e73ebb9b5d1c6b61e6b95d343dc36550831ba Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Tue, 28 Jun 2016 16:40:51 -0400
Subject: [PATCH] Additional systemd service hardening

Add ProtectSystem=full, NoNewPrivileges=true, PrivateDevices=true, and a restricted CapabilityBoundingSet.

There's no reason to comment out any of these options - according to the systemd documentation at https://www.freedesktop.org/software/systemd/man/systemd.unit.html :
> If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.

So it's fine to leave in options that older versions may not understand - they'll simply be ignored.
---
 dovecot.service.in | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dovecot.service.in b/dovecot.service.in
index 96ed5d62f91..26b51851159 100644
--- a/dovecot.service.in
+++ b/dovecot.service.in
@@ -30,8 +30,10 @@ ExecReload=@bindir@/doveadm reload
 ExecStop=@bindir@/doveadm stop
 PrivateTmp=true
 NonBlocking=yes
-# Enable this if your systemd is new enough to support it:
-#ProtectSystem=full
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
 
 [Install]
 WantedBy=multi-user.target