# mail-gateway-api, running as mailgw, needs to reload the Postfix
# configuration after `postconf -e` writes new values to main.cf. We
# grant exactly that — no shells, no wildcards, no other binaries.
# Additional reload paths can be added here as new etappes integrate
# more of the mail stack.
mailgw ALL=(root) NOPASSWD: /usr/sbin/postfix reload
mailgw ALL=(root) NOPASSWD: /bin/systemctl reload postfix
mailgw ALL=(root) NOPASSWD: /bin/systemctl reload postfix@-.service
mailgw ALL=(root) NOPASSWD: /bin/systemctl reload rspamd
mailgw ALL=(root) NOPASSWD: /bin/systemctl reload rspamd.service
mailgw ALL=(root) NOPASSWD: /bin/systemctl restart rspamd
mailgw ALL=(root) NOPASSWD: /bin/systemctl restart rspamd.service
