diff --git a/dovecot.service.in b/dovecot.service.in
index 60fc38640a..3097ef5ea7 100644
--- a/dovecot.service.in
+++ b/dovecot.service.in
@@ -36,6 +36,7 @@ ProtectSystem=full
 PrivateDevices=true
 NoNewPrivileges=true
 CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target