--- Comment #4 from Franck Bui firstname.lastname@example.org --- How was the cap granted to the sysv init script BTW ? or is this an improvement you introduced along with the systemd unit files ?
Maybe you could try to make cyrus-imapd socket activable (if it's not already done) and in this case systemd would open and bind the socket for you ?
That would make CAP_NET_BIND_SERVICE undeeded.
Otherwise ship a different unit file depending on the distro you're running on:
- on Factory ship the unit file with "User=xxx" and "AmbientCapabilities=cap_net_bind_service"
- on Leap 42.3, run the service as root. It was probably already the case with the sysv init script.
In both cases you can also rely on different security hardening (if it's not already the case).