The following example is for postfix on a Debian GNU/Linux Woody (3.0) system with all capabilities disabled. The CAP_HIDDEN parts are ofcourse optional.
/sbin/lidsconf -A -o /etc/postfix -j DENY /sbin/lidsconf -A -o /var/spool/postfix -j DENY /sbin/lidsconf -A -s /etc/init.d/postfix \ -o /etc/postfix -j READONLY -i 1 /sbin/lidsconf -A -s /etc/init.d/postfix \ -o /var/spool/postfix -j WRITE -i 1 /sbin/lidsconf -A -s /usr/sbin/postfix \ -o /etc/postfix -j READONLY -i 4 /sbin/lidsconf -A -s /usr/sbin/postfix \ -o /var/spool/postfix -j WRITE -i 4 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o CAP_SETGID -j GRANT -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o CAP_SETUID -j GRANT -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o CAP_HIDDEN -j GRANT -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o CAP_DAC_OVERRIDE -j GRANT -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o CAP_SYS_CHROOT -j GRANT -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o /etc/aliases.db -j READONLY -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o /var/spool/postfix -j WRITE -i 1 /sbin/lidsconf -A -s /usr/lib/postfix/master \ -o /etc/postfix -j READONLY -i 1 /sbin/lidsconf -A -s /usr/sbin/postdrop \ -o /etc/postfix -j READONLY /sbin/lidsconf -A -s /usr/sbin/postdrop \ -o /var/spool/postfix -j WRITE /sbin/lidsconf -A -s /usr/sbin/sendmail \ -o /etc/postfix -j READONLY /sbin/lidsconf -A -s /usr/sbin/sendmail \ -o /var/spool/postfix -j WRITE |