These ACLs were written for a qmail setup that was installed according to Dave Sill's Life with qmail. With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.
# setup
/sbin/lidsconf -A -o /var/qmail -j READONLY
/sbin/lidsconf -A -s /usr/local/bin/multilog \
-o /var/log/qmail -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/svc \
-o /var/qmail/supervise -j WRITE
# queue access
#
/sbin/lidsconf -A -s /var/qmail/bin/qmail-inject \
-o /var/qmail/queue -j WRITE
/sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \
-o /var/qmail/queue -j WRITE
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
-o /var/qmail/queue -j WRITE
/sbin/lidsconf -A -s /var/qmail/bin/qmail-queue \
-o /var/qmail/queue -j WRITE
/sbin/lidsconf -A -s /var/qmail/bin/qmail-clean \
-o /var/qmail/queue -j WRITE
/sbin/lidsconf -A -s /var/qmail/bin/qmail-send \
-o /var/qmail/queue -j WRITE
/sbin/lidsconf -A -s /var/qmail/bin/qmail-remote \
-o /var/qmail/queue -j WRITE
# Access to local mail boxes
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
-o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
-o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
-o CAP_DAC_OVERRIDE -j GRANT
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
-o CAP_DAC_READ_SEARCH -j GRANT
# Remote delivery
/sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \
-o CAP_NET_BIND_SERVICE -i -1 -j GRANT
# supervise
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-smtpd/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-send/supervise -j WRITE
/sbin/lidsconf -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-send/log/supervise -j WRITE |