Introduce systemd.exec restrictions for better security

etc/systemd/system/dovecot.service.d/custom.conf

@@ -0,0 +1,17 @@
+[Service]
+LimitNOFILE=100000
+ProtectSystem=strict
+PrivateTmp=true
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+BindPaths=/run/dovecot/
+BindPaths=/var/run/dovecot/
+BindPaths=/var/lib/dovecot/
+InaccessiblePaths=/var/www/
+InaccessiblePaths=/root/