[Unit] Description=Postfix Mail Transport Agent After=network.target [Service] Type=forking ExecStartPre=-/usr/bin/newaliases ExecStart=/usr/sbin/postfix start ExecStop=/usr/sbin/postfix stop ExecReload=/usr/sbin/postfix reload # Hardening PrivateTmp=yes PrivateDevices=yes ProtectSystem=full ReadWritePaths=-/etc/mail/aliases.db -/etc/mail/aliases.cdb -/etc/mail/aliases.lmdb CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE MemoryDenyWriteExecute=true ProtectKernelModules=true ProtectKernelTunables=true ProtectControlGroups=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX RestrictNamespaces=true RestrictRealtime=true [Install] WantedBy=multi-user.target