Comment # 5 on bug 1115999 from Matthias Fehring

(In reply to Franck Bui from comment #4)
> How was the cap granted to the sysv init script BTW ? or is this an
> improvement you introduced along with the systemd unit files ?

I did not introduce anything. :) Changes were introduced by Peter Varkoly when
migrating from SysV init to native systemd service. My intention was just to
make the package from server:mail to work again on Leap 42.3.

> Maybe you could try to make cyrus-imapd socket activable (if it's not
> already done) and in this case systemd would open and bind the socket for
> you ?
> 
> That would make CAP_NET_BIND_SERVICE undeeded.
> 
> Otherwise ship a different unit file depending on the distro you're running
> on: 
> 
>  - on Factory ship the unit file with "User=xxx" and
> "AmbientCapabilities=cap_net_bind_service"
> 
>  - on Leap 42.3, run the service as root. It was probably already the case
> with the sysv init script.
> 
> In both cases you can also rely on different security hardening (if it's not
> already the case).

Yes, the SysV init script started cyrus-master as root so it can bind to the
ports. The systemd service now starts cyrus-master as user cyrus.

I now added capabilities acquisition to the service file and created a new
submit request to server:mail at https://build.opensuse.org/request/show/657145
. I tested it on Leap 15.0 where it works as expected, but on Tumbleweed I
currently have the issue that it can not be started because of the following
error:

Failed to start cyrus-imapd.service: Unit var-run.mount is masked.