(In reply to Franck Bui from comment #4) > How was the cap granted to the sysv init script BTW ? or is this an > improvement you introduced along with the systemd unit files ? I did not introduce anything. :) Changes were introduced by Peter Varkoly when migrating from SysV init to native systemd service. My intention was just to make the package from server:mail to work again on Leap 42.3. > Maybe you could try to make cyrus-imapd socket activable (if it's not > already done) and in this case systemd would open and bind the socket for > you ? > > That would make CAP_NET_BIND_SERVICE undeeded. > > Otherwise ship a different unit file depending on the distro you're running > on: > > - on Factory ship the unit file with "User=xxx" and > "AmbientCapabilities=cap_net_bind_service" > > - on Leap 42.3, run the service as root. It was probably already the case > with the sysv init script. > > In both cases you can also rely on different security hardening (if it's not > already the case). Yes, the SysV init script started cyrus-master as root so it can bind to the ports. The systemd service now starts cyrus-master as user cyrus. I now added capabilities acquisition to the service file and created a new submit request to server:mail at https://build.opensuse.org/request/show/657145 . I tested it on Leap 15.0 where it works as expected, but on Tumbleweed I currently have the issue that it can not be started because of the following error: Failed to start cyrus-imapd.service: Unit var-run.mount is masked.