[Service]
LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
BindPaths=/run/dovecot/
BindPaths=/var/run/dovecot/
BindPaths=/var/lib/dovecot/
InaccessiblePaths=/var/www/
InaccessiblePaths=/root/