This increases the isolation of Maddy service. Maddy capabilities can be
bound to only CAP_NET_BIND_SERVICE. This also restricts the service to
only use Unix sockets, IPv4 and IPv6.
It is only a good thing to use for simple stateless daemons. It is
possible to use StateDirectory to store state, but it is extremely
limited. Notably, only service processes and root can correctly access
the state directory. This makes up for a bad practice to run maddyctl as
root what in turn screws up permissions on files in messages directory
when imap-* subcommands are used.
Migration note: Users of systemd unit with DynamicUser enabled should
move /var/lib/private/maddy to /var/lib/maddy before starting maddy
after update.
It has all sorts of benefits due to the service manager being aware of
the starting/running/stopping state, see systemd.service(5)
On top of that, start-up errors are reported using STATUS= key, so they
will be easier to see in the 'systemctl status' output.