diff -up dovecot-2.3.0.1/dovecot.service.in.systemd_w_protectsystem dovecot-2.3.0.1/dovecot.service.in --- dovecot-2.3.0.1/dovecot.service.in.systemd_w_protectsystem 2018-03-01 10:41:05.591067106 +0100 +++ dovecot-2.3.0.1/dovecot.service.in 2018-03-01 10:42:52.859959021 +0100 @@ -20,6 +20,7 @@ ExecReload=@bindir@/doveadm reload ExecStop=@bindir@/doveadm stop PrivateTmp=true NonBlocking=yes +# this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin