Introduce systemd.exec restrictions for better security

etc/systemd/system/postfix@.service.d/custom.conf

@@ -0,0 +1,15 @@
+[Service]
+ProtectSystem=strict
+PrivateTmp=true
+NoNewPrivileges=true
+PrivateDevices=true
+#PrivateUsers=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+BindPaths=/var/spool/
+BindPaths=/var/lib/
+InaccessiblePaths=/var/www/