diff --git a/dist/systemd/maddy.service b/dist/systemd/maddy.service
index 95df73d..2377a9e 100644
--- a/dist/systemd/maddy.service
+++ b/dist/systemd/maddy.service
@@ -29,7 +29,9 @@ ProtectHome=true
 ProtectSystem=strict
 ProtectKernelTunables=true
 ProtectHostname=true
+ProtectClock=true
 ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 # Additional sandboxing. You need to disable all of these options
 # for privileged helper binaries (for system auth) to work correctly.
@@ -50,6 +52,7 @@ KillSignal=SIGTERM
 
 # Required to bind on ports lower than 1024.
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 # Force all files created by maddy to be only readable by it.
 UMask=0027
diff --git a/dist/systemd/maddy@.service b/dist/systemd/maddy@.service
index 9805f6f..b056b6d 100644
--- a/dist/systemd/maddy@.service
+++ b/dist/systemd/maddy@.service
@@ -25,7 +25,9 @@ PrivateHome=true
 ProtectSystem=strict
 ProtectKernelTunables=true
 ProtectHostname=true
+ProtectClock=true
 ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 DeviceAllow=/dev/syslog
 
 # Additional sandboxing. You need to disable all of these options
@@ -46,6 +48,7 @@ KillSignal=SIGTERM
 
 # Required to bind on ports lower than 1024.
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 # Force all files created by maddy to be only readable by it.
 UMask=0027