[Unit]
Description=Postfix Mail Transport Agent in chroot (instance %i)
Documentation=man:postfix(1)
PartOf=postfix-chroot.service
Before=postfix-chroot.service
ReloadPropagatedFrom=postfix-chroot.service
After=network-online.target nss-lookup.target local-fs.target mariadb-admin.service
Wants=network-online.target
PartOf=chr-maild.target

[Service]
Type=forking

RootDirectory=/chroot/maild
RootDirectoryStartOnly=no

GuessMainPID=no
ExecStartPre=/usr/lib/postfix/configure-instance.sh %i
ExecStart=/usr/sbin/postmulti -i %i -p start
ExecStop=/usr/sbin/postmulti -i %i -p stop
ExecReload=/usr/sbin/postmulti -i %i -p reload

PrivateTmp=true
MountAPIVFS=true
#NoNewPrivileges=true # (because of postfix suid binaries)
NoNewPrivileges=false
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/maild
ReadWritePaths=/chroot/maild/run
ReadWritePaths=-/chroot/maild/etc/dovecot/sieve
ReadWritePaths=/chroot/maild/var/mail /chroot/maild/var/mailindex /chroot/maild/var/lib /chroot/maild/var/spool
InaccessiblePaths=/chroot/maild/boot /chroot/maild/sys /chroot/maild/proc


# run
BindPaths=/chroot/maild/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind /run/systemd/journal/dev-log:/var/spool/postfix/dev/log:norbind
# admin mysql
BindPaths=-/run/mysqld-admin:/run/mysqld:norbind -/run/mysqld-admin:/var/spool/postfix/run/mysqld:norbind
# opendkim
BindPaths=-/run/opendkim:/var/spool/postfix/run/opendkim:norbind
# postfix NL log
BindPaths=/run/systemd/journal/dev-log:/var/spool/postfix-nl/dev/log:norbind
# postfix NL opendkim
BindPaths=-/run/opendkim:/var/spool/postfix-nl/run/opendkim:norbind
# sys-ssl
BindPaths=-/etc/ssl/sys:/etc/ssl/sys:norbind

# mail data - needed, dovecot LDA is forked by postfix
BindPaths=-/srv/mail:/var/mail:norbind
BindPaths=-/srv/mailindex:/var/mailindex:norbind

[Install]
#WantedBy=multi-user.target
WantedBy=chr-maild.target
#WantedBy=postfix-chroot.service