maddy

Fork https://github.com/foxcpp/maddy

git clone git://git.lin.moe/go/maddy.git

 1[Unit]
 2Description=maddy mail server
 3Documentation=man:maddy(1)
 4Documentation=man:maddy.conf(5)
 5Documentation=https://maddy.email
 6After=network-online.target
 7
 8[Service]
 9Type=notify
10NotifyAccess=main
11
12User=maddy
13Group=maddy
14
15# cd to state directory to make sure any relative paths
16# in config will be relative to it unless handled specially.
17WorkingDirectory=/var/lib/maddy
18
19ConfigurationDirectory=maddy
20RuntimeDirectory=maddy
21StateDirectory=maddy
22LogsDirectory=maddy
23ReadOnlyPaths=/usr/lib/maddy
24ReadWritePaths=/var/lib/maddy
25
26# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
27PrivateTmp=true
28ProtectHome=true
29ProtectSystem=strict
30ProtectKernelTunables=true
31ProtectHostname=true
32ProtectClock=true
33ProtectControlGroups=true
34RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
35
36# Additional sandboxing. You need to disable all of these options
37# for privileged helper binaries (for system auth) to work correctly.
38NoNewPrivileges=true
39PrivateDevices=true
40DeviceAllow=/dev/syslog
41RestrictSUIDSGID=true
42ProtectKernelModules=true
43MemoryDenyWriteExecute=true
44RestrictNamespaces=true
45RestrictRealtime=true
46LockPersonality=true
47
48# Graceful shutdown with a reasonable timeout.
49TimeoutStopSec=7s
50KillMode=mixed
51KillSignal=SIGTERM
52
53# Required to bind on ports lower than 1024.
54AmbientCapabilities=CAP_NET_BIND_SERVICE
55CapabilityBoundingSet=CAP_NET_BIND_SERVICE
56
57# Force all files created by maddy to be only readable by it
58# and maddy group.
59UMask=0007
60
61# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
62# of idle IMAP connections, especially ones abandoned on the other end and
63# slowly timing out).
64LimitNOFILE=131072
65
66# Limit processes count to something reasonable to
67# prevent resources exhausting due to big amounts of helper
68# processes launched.
69LimitNPROC=512
70
71# Restart server on any problem.
72Restart=on-failure
73# ... Unless it is a configuration problem.
74RestartPreventExitStatus=2
75
76ExecStart=/usr/local/bin/maddy run
77
78ExecReload=/bin/kill -USR1 $MAINPID
79ExecReload=/bin/kill -USR2 $MAINPID
80
81[Install]
82WantedBy=multi-user.target