diff -up dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem dovecot-2.2.28/dovecot.service.in

--- dovecot-2.2.28/dovecot.service.in.systemd_w_protectsystem	2017-02-27 10:00:14.647423500 +0100

+++ dovecot-2.2.28/dovecot.service.in	2017-02-27 10:02:18.051377067 +0100

@@ -20,8 +20,8 @@ ExecReload=@bindir@/doveadm reload

 ExecStop=@bindir@/doveadm stop

 PrivateTmp=true

 NonBlocking=yes

-# Enable this if your systemd is new enough to support it:

-#ProtectSystem=full

+# Enable this if your systemd is new enough to support it: (it will make /usr /boot /etc read only for dovecot)

+ProtectSystem=full

 # You can add environment variables with e.g.:

 #Environment='CORE_OUTOFMEM=1'