/usr/lib/postfix o {
	/var/spool/postfix rw
	/var/spool/postfix/lib rx
	/var/mail w
	/dev/log rw
	/dev/null rw
	/dev/urandom r
	/etc/aliases
	/etc/postfix rw
	/etc r
	/etc/grsec h
	/lib rx
	/usr/lib rx
	/usr/share/zoneinfo r
	/var/tmp
	/ h

	-CAP_ALL
	+CAP_DAC_OVERRIDE
	+CAP_KILL
	+CAP_SETGID
	+CAP_SETUID
	+CAP_SYS_CHROOT

	connect {
		0.0.0.0/0:53 stream dgram ip tcp udp
		0.0.0.0/0:25 stream ip tcp
	}

	bind {
		disabled
	}
}
