[Unit]
Description=OpenSMTPD mail daemon
After=syslog.target network.target
Conflicts=sendmail.service postfix.service exim.service

[Service]
Type=forking
ExecStart=/usr/sbin/smtpd
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
ReadWritePaths=/var/spool/mail /var/spool/smtpd /var/run /run
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
KeyringMode=private

[Install]
WantedBy=multi-user.target