[Service] ProtectSystem=strict PrivateTmp=true NoNewPrivileges=true PrivateDevices=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true LockPersonality=true MemoryDenyWriteExecute=true SystemCallArchitectures=native ReadWritePaths=-/var/spool/ ReadWritePaths=-/var/lib/postfix/ InaccessiblePaths=-/var/www/