> On 25 Apr 2025, at 11:16, Mathias Gibbens <gib...@debian.org> wrote: > > I'm hesitant to go too crazy adding systemd hardening options to the > service, although I'd be open to ones that don't require specific > changes to support a given MTA, such as some of the exim ones mentioned > in this bug report. That is an entirely reasonable attitude. Even with no hardening, it’s NO WORSE than crontab.
To reliably handle mail you need at least to avoid NoNewPrivileges (postfix maildrop needs setgid) and of course PrivateNetworking and TCP (msmtp). In case it’s not obvious, systemd-analyze security foo.service lists hardening in descending utility (that is, most important first).
