[Unit]
Description=Postfix Mail Transport Agent (main/default instance)
Documentation=man:postfix(1)
After=network.target nss-lookup.target
# network-online.target is a semi-working work-around for specific
# network_interfaces, https://bugs.debian.org/854475#126
# Please add local override wanting network-online.target or
# systemd-networkd-wait-online@INTERFACE:no-carrier.service
#After=network-online.target
#Wants=network-online.target
ConditionPathExists=/etc/postfix/main.cf
# pre-3.9.1-7 multi-instance setup:
Conflicts=postfix@-.service

[Service]
Type=forking
# Force operations on single default instance, do not run postmulti wrapper
Environment=MAIL_CONFIG=/etc/postfix
# perform 2-stage startup
ExecStartPre=+postfix check
ExecStart=postfix debian-systemd-start
ExecStop=postfix stop
ExecReload=postfix reload

# Postfix consists of multiple processes run by a master(8) orchestrator,
# each of them having different requirements.  From the whole set, local(8)
# (the Postfix local delivery agent) is the most demanding one, because it
# runs things as user, and a user needs to be able to run suid/sgid programs
# (if not only to be able to deliver mail to /var/spool/postfix/postdrop).
# Individual Postfix daemons are started as root, optionally perform chroot
# into the queue directory, and drop privileges voluntary

# listen(2) on privileged ports (smtp)
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# chroot into queue dir
CapabilityBoundingSet=CAP_SYS_CHROOT
# drop root privs, run as user when delivering local mail
CapabilityBoundingSet=CAP_SETGID CAP_SETUID
# processes access protected files in non-root-owned dirs (acl root:rwx);
CapabilityBoundingSet=CAP_DAC_OVERRIDE
# https://bugs.debian.org/1099891 :
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
# chown(2) is needed for procmal &Co to create /var/mail/$USER
CapabilityBoundingSet=CAP_CHOWN

# users might run suid/sgid programs from ~/.forward:
RestrictSUIDSGID=no
# for the same reason, NoNewPrivileges can not be set to yes
NoNewPrivileges=no

# if you don't use procmail for delivery to /var/mail/$USER,
# CAP_CHOWN can be removed.
# if you don't use local(8) at all, only doing local delivery over LMTP
# or using virtual(8), you can also set
#RestrictSUIDSGID=yes
#NoNewPrivileges=yes
# Also, CAP_DAC_OVERRIDE can be eliminated by adding root user to ACL to
# postfix-owned dis in spool: public, private; and whatever maps in protected
# subdirs you use, relying on cap_dac_override

LockPersonality=yes
MemoryDenyWriteExecute=yes
ProtectControlGroups=yes
ProtectClock=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
# ProtectProc is not usable with User=root:
#ProtectProc=noaccess
ProcSubset=pid
# ProtectSystem can be "yes" if rw maps are in /etc, or "full"
# Alternative would be "strict" +ReadWritePaths=/var
ProtectSystem=full
# Need to write to ~/Maildir/ etc:
ProtectHome=no
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes

SystemCallFilter=@system-service @setuid chroot

[Install]
WantedBy=multi-user.target