When should I use this postfix.service?
Use it to restore a missing default, confirm what shipped, or diff against your current Postfix config.
Postfix /etc/systemd/postfix.service
Original
📋 Debian 13 (Trixie)
85 lines
Works On
Viewing:
Debian 13 (Trixie)
Same on:
Other versions:
Details
- Size
- 85 lines
- MD5
- 9f5642be48b1f6aa33e7e3c511a60d7a
- SHA256
- 956ad871586f04750ae6c4ae95db63c192b71baf50d8318b2a2752681306d978
/etc/systemd/postfix.service
[Unit] Description=Postfix Mail Transport Agent (main/default instance) Documentation=man:postfix(1) After=network.target nss-lookup.target # network-online.target is a semi-working work-around for specific # network_interfaces, https://bugs.debian.org/854475#126 # Please add local override wanting network-online.target or # systemd-networkd-wait-online@INTERFACE:no-carrier.service #After=network-online.target #Wants=network-online.target ConditionPathExists=/etc/postfix/main.cf # pre-3.9.1-7 multi-instance setup: Conflicts=postfix@-.service [Service] Type=forking # Force operations on single default instance, do not run postmulti wrapper Environment=MAIL_CONFIG=/etc/postfix # perform 2-stage startup ExecStartPre=+postfix check ExecStart=postfix debian-systemd-start ExecStop=postfix stop ExecReload=postfix reload # Postfix consists of multiple processes run by a master(8) orchestrator, # each of them having different requirements. From the whole set, local(8) # (the Postfix local delivery agent) is the most demanding one, because it # runs things as user, and a user needs to be able to run suid/sgid programs # (if not only to be able to deliver mail to /var/spool/postfix/postdrop). # Individual Postfix daemons are started as root, optionally perform chroot # into the queue directory, and drop privileges voluntary # listen(2) on privileged ports (smtp) CapabilityBoundingSet=CAP_NET_BIND_SERVICE # chroot into queue dir CapabilityBoundingSet=CAP_SYS_CHROOT # drop root privs, run as user when delivering local mail CapabilityBoundingSet=CAP_SETGID CAP_SETUID # processes access protected files in non-root-owned dirs (acl root:rwx); CapabilityBoundingSet=CAP_DAC_OVERRIDE # https://bugs.debian.org/1099891 : CapabilityBoundingSet=CAP_DAC_READ_SEARCH # chown(2) is needed for procmal &Co to create /var/mail/$USER CapabilityBoundingSet=CAP_CHOWN # users might run suid/sgid programs from ~/.forward: RestrictSUIDSGID=no # for the same reason, NoNewPrivileges can not be set to yes NoNewPrivileges=no # if you don't use procmail for delivery to /var/mail/$USER, # CAP_CHOWN can be removed. # if you don't use local(8) at all, only doing local delivery over LMTP # or using virtual(8), you can also set #RestrictSUIDSGID=yes #NoNewPrivileges=yes # Also, CAP_DAC_OVERRIDE can be eliminated by adding root user to ACL to # postfix-owned dis in spool: public, private; and whatever maps in protected # subdirs you use, relying on cap_dac_override LockPersonality=yes MemoryDenyWriteExecute=yes ProtectControlGroups=yes ProtectClock=yes PrivateDevices=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes # ProtectProc is not usable with User=root: #ProtectProc=noaccess ProcSubset=pid # ProtectSystem can be "yes" if rw maps are in /etc, or "full" # Alternative would be "strict" +ReadWritePaths=/var ProtectSystem=full # Need to write to ~/Maildir/ etc: ProtectHome=no RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes SystemCallFilter=@system-service @setuid chroot [Install] WantedBy=multi-user.target
Copy & Paste
curl:
curl https://exampleconfig.com/api/v1/config/original/9f5642be48b1f6aa33e7e3c511a60d7a?hint=postfix.service
wget:
wget -O postfix.service https://exampleconfig.com/api/v1/config/original/9f5642be48b1f6aa33e7e3c511a60d7a?hint=postfix.service
For AI Agents
<prompt><role>DevOps agent</role><source url='https://exampleconfig.com/api/v1/config/original/9f5642be48b1f6aa33e7e3c511a60d7a?hint=postfix.service' /><config><app>Postfix</app><os>Debian 13 (Trixie)</os><location>/etc/systemd/postfix.service</location><lines>85</lines><md5>9f5642be48b1f6aa33e7e3c511a60d7a</md5><sha256>956ad871586f04750ae6c4ae95db63c192b71baf50d8318b2a2752681306d978</sha256></config></prompt>
Paste into Claude, ChatGPT, or any AI assistant.
Install Postfix
Alpine Linux
sudo apk add postfix
Debian
sudo apt update && sudo apt install postfix
Red Hat Enterprise Linux
sudo yum install postfix
Ubuntu
sudo apt update && sudo apt install postfix
File Location
FAQ
How do I restore Postfix defaults?
Download the file, back up the current one in /etc/systemd/postfix.service, replace it, then reload or restart Postfix.
Is postfix.service safe for production?
It is the vendor default for Debian 13 (Trixie). Treat it as a baseline and review security and performance settings before production use.
How does this differ from other OS versions?
Defaults vary by distro and version. This copy matches Debian 13 (Trixie).
Can I use this for Postfix troubleshooting?
Yes. Diff it against yours to find drift, then restore only the sections you need.
