[Service]
LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
BindPaths=-/run
BindPaths=-/var/run
BindPaths=-/var/lib/dovecot
InaccessiblePaths=/var/www
InaccessiblePaths=/root