Comment # 4 on bug 1115999 from 
How was the cap granted to the sysv init script BTW ? or is this an improvement
you introduced along with the systemd unit files ?

Maybe you could try to make cyrus-imapd socket activable (if it's not already
done) and in this case systemd would open and bind the socket for you ?

That would make CAP_NET_BIND_SERVICE undeeded.

Otherwise ship a different unit file depending on the distro you're running on: 

 - on Factory ship the unit file with "User=xxx" and
"AmbientCapabilities=cap_net_bind_service"

 - on Leap 42.3, run the service as root. It was probably already the case with
the sysv init script.

In both cases you can also rely on different security hardening (if it's not
already the case).

You are receiving this mail because: