[Service]
LimitNOFILE=100000
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
ReadWritePaths=-/run
ReadWritePaths=-/var/run
ReadWritePaths=-/var/lib/dovecot
ReadWritePaths=-/var/spool/postfix/private
InaccessiblePaths=-/var/www
InaccessiblePaths=-/root