# This file is part of Dovecot
#
# If you want to pass additionally command line options to the dovecot
# binary, create the file:
# 	`/etc/systemd/system/dovecot.service.d/service.conf'.
# In this file create a Service section and configure an Environment with
# the variable `OPTIONS'. For example:
#
#	[Service]
#	Environment='OPTIONS=-p'
#
# In the `Service' section you may also specify various other setting.
# If you have trouble with `Too many open files' you may set:
#LimitNOFILE=8192
#
# If you want to allow the Dovecot services to produce core dumps, use:
#LimitCORE=infinity

[Unit]
Description=Dovecot IMAP/POP3 email server in chroot
Documentation=man:dovecot(1)
Documentation=http://wiki2.dovecot.org/
After=local-fs.target network.target mariadb-admin.service
BindsTo=chr-maild.target

[Service]
Type=forking

RootDirectory=/chroot/maild
RootDirectoryStartOnly=no

ExecStart=/usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
PIDFile=/chroot/maild/run/dovecot/master.pid
ExecReload=/usr/bin/doveadm reload
ExecStop=/usr/bin/doveadm stop
#PrivateTmp=true
NonBlocking=yes
# Enable this if your systemd is new enough to support it:
#ProtectSystem=full

PrivateTmp=true
MountAPIVFS=true
#NoNewPrivileges=true
NoNewPrivileges=false
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/maild/bin /chroot/maild/sbin /chroot/maild/lib /chroot/maild/lib64 /chroot/maild/usr /chroot/maild/etc
InaccessiblePaths=/chroot/maild/boot /chroot/maild/sys /chroot/maild/proc

# run
BindPaths=/chroot/maild/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# admin mysql
BindPaths=-/chroot/admin/run/mysqld:/run/mysqld:norbind
# sys-ssl
BindPaths=-/etc/ssl/sys:/etc/ssl/sys:norbind

[Install]
#WantedBy=multi-user.target
WantedBy=chr-maild.target