maddy

Fork https://github.com/foxcpp/maddy

git clone git://git.lin.moe/go/maddy.git

 1[Unit]
 2Description=maddy mail server (using %i.conf)
 3Documentation=man:maddy(1)
 4Documentation=man:maddy.conf(5)
 5Documentation=https://maddy.email
 6After=network-online.target
 7
 8[Service]
 9Type=notify
10NotifyAccess=main
11
12User=maddy
13Group=maddy
14
15ConfigurationDirectory=maddy
16RuntimeDirectory=maddy
17StateDirectory=maddy
18LogsDirectory=maddy
19ReadOnlyPaths=/usr/lib/maddy
20ReadWritePaths=/var/lib/maddy
21
22# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
23PrivateTmp=true
24PrivateHome=true
25ProtectSystem=strict
26ProtectKernelTunables=true
27ProtectHostname=true
28ProtectClock=true
29ProtectControlGroups=true
30RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
31DeviceAllow=/dev/syslog
32
33# Additional sandboxing. You need to disable all of these options
34# for privileged helper binaries (for system auth) to work correctly.
35NoNewPrivileges=true
36PrivateDevices=true
37RestrictSUIDSGID=true
38ProtectKernelModules=true
39MemoryDenyWriteExecute=true
40RestrictNamespaces=true
41RestrictRealtime=true
42LockPersonality=true
43
44# Graceful shutdown with a reasonable timeout.
45TimeoutStopSec=7s
46KillMode=mixed
47KillSignal=SIGTERM
48
49# Required to bind on ports lower than 1024.
50AmbientCapabilities=CAP_NET_BIND_SERVICE
51CapabilityBoundingSet=CAP_NET_BIND_SERVICE
52
53# Force all files created by maddy to be only readable by it and
54# maddy group.
55UMask=0007
56
57# Bump FD limitations. Even idle mail server can have a lot of FDs open (think
58# of idle IMAP connections, especially ones abandoned on the other end and
59# slowly timing out).
60LimitNOFILE=131072
61
62# Limit processes count to something reasonable to
63# prevent resources exhausting due to big amounts of helper
64# processes launched.
65LimitNPROC=512
66
67# Restart server on any problem.
68Restart=on-failure
69# ... Unless it is a configuration problem.
70RestartPreventExitStatus=2
71
72ExecStart=/usr/local/bin/maddy --config /etc/maddy/%i.conf run
73
74ExecReload=/bin/kill -USR1 $MAINPID
75ExecReload=/bin/kill -USR2 $MAINPID
76
77[Install]
78WantedBy=multi-user.target