Revert "nixos/dovecot: improve and harden systemd unit" (#422817)

mweinelt · web-flow · commit 17b5150fcbbf · 2025-07-06T02:14:08.000+02:00
Users reported issues with this changeset in #418722.
diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
@@ -692,67 +692,23 @@ in
 
     environment.etc."dovecot/dovecot.conf".source = cfg.configFile;
 
-    systemd.services.dovecot = {
-      aliases = [ "dovecot2.service" ];
+    systemd.services.dovecot2 = {
       description = "Dovecot IMAP/POP3 server";
-      documentation = [
-        "man:dovecot(1)"
-        "https://doc.dovecot.org"
-      ];
 
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ cfg.configFile ];
+      restartTriggers = [
+        cfg.configFile
+      ];
 
       startLimitIntervalSec = 60; # 1 min
       serviceConfig = {
         Type = "notify";
         ExecStart = "${dovecotPkg}/sbin/dovecot -F";
         ExecReload = "${dovecotPkg}/sbin/doveadm reload";
-
-        CapabilityBoundingSet = [
-          "CAP_CHOWN"
-          "CAP_DAC_OVERRIDE"
-          "CAP_FOWNER"
-          "CAP_NET_BIND_SERVICE"
-          "CAP_SETGID"
-          "CAP_SETUID"
-          "CAP_SYS_CHROOT"
-          "CAP_SYS_RESOURCE"
-        ];
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        OOMPolicy = "continue";
-        PrivateTmp = true;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = lib.mkDefault false;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "full";
-        PrivateDevices = true;
         Restart = "on-failure";
         RestartSec = "1s";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = false; # sets sgid on maildirs
         RuntimeDirectory = [ "dovecot2" ];
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service @resources"
-          "~@privileged"
-          "@chown @setuid capset chroot"
-        ];
       };
 
       # When copying sieve scripts preserve the original time stamp
diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix
@@ -84,13 +84,11 @@
 
   testScript = ''
     machine.wait_for_unit("postfix.service")
-    machine.wait_for_unit("dovecot.service")
+    machine.wait_for_unit("dovecot2.service")
     machine.succeed("send-testmail")
     machine.succeed("send-lda")
     machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
     machine.succeed("test-imap")
     machine.succeed("test-pop")
-
-    machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v ✓"))
   '';
 }
