sharpetronics/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-10-03 00:02:53 -04:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: sharpetronics:8cd32cb37a2c3373c416126cb2966c0c7f818b7e
Branches Tags
sharpetronics:master
sharpetronics:staging
sharpetronics:update/postscreen_access.cidr
sharpetronics:renovate/php-pecl-mail-mailparse-3.x
sharpetronics:weblate-translated
sharpetronics:renovate/tianon-gosu-1.x
sharpetronics:fix/rename-phpsessid
sharpetronics:fix/samesite-cookie
sharpetronics:fix/6740
sharpetronics:fix/6739
sharpetronics:fix/6720
sharpetronics:feat/sogo-url-encryption
sharpetronics:renovate/ghcr.io-mailcow-sogo-1.x
sharpetronics:feat/passwordless-autodiscover
sharpetronics:renovate/composer-composer-2.x
sharpetronics:nightly
sharpetronics:fix/6423
sharpetronics:fix/6135
sharpetronics:6644_clamd-tmp-folder-naming-change
sharpetronics:renovate/krakjoe-apcu-5.x
sharpetronics:feat/dovecot-2.4
sharpetronics:feat/mailcow-adm
sharpetronics:feat/remove-ip6nat
sharpetronics:legacy
sharpetronics:feat/python-bootstrapper
sharpetronics:renovate/alpine-3.x
sharpetronics:dragoangel-patch-1
sharpetronics:feat/valkey
sharpetronics:fix/clean-sasl-log
sharpetronics:feat/forced-pw-update-modal
sharpetronics:feat/mTLS-auth
sharpetronics:feat/ui-improvements
sharpetronics:2025-09b
sharpetronics:2025-09a
sharpetronics:2025-09
sharpetronics:2025-07
sharpetronics:2025-05
sharpetronics:2025-03b
sharpetronics:2025-03a
sharpetronics:2025-03
sharpetronics:2025-02
sharpetronics:2025-01a
sharpetronics:2025-01
sharpetronics:2024-11b
sharpetronics:2024-11a
sharpetronics:2024-11
sharpetronics:2024-08a
sharpetronics:2024-08
sharpetronics:2024-07
sharpetronics:2024-06c
sharpetronics:2024-06b
sharpetronics:2024-06a
sharpetronics:2024-06
sharpetronics:2024-04
sharpetronics:2024-02
sharpetronics:2024-01e
sharpetronics:2024-01d
sharpetronics:2024-01c
sharpetronics:2024-01b
sharpetronics:2024-01a
sharpetronics:2024-01
sharpetronics:2023-12a
sharpetronics:2023-12
sharpetronics:2023-11a
sharpetronics:2023-11
sharpetronics:2023-10a
sharpetronics:2023-10
sharpetronics:2023-09
sharpetronics:2023-08
sharpetronics:2023-07a
sharpetronics:2023-07
sharpetronics:2023-05a
sharpetronics:2023-05
sharpetronics:2023-04b
sharpetronics:2023-04a
sharpetronics:2023-04
sharpetronics:2023-03
sharpetronics:2023-02a
sharpetronics:2023-02
sharpetronics:2023-01a
sharpetronics:2023-01
sharpetronics:2022-12b
sharpetronics:2022-12a
sharpetronics:2022-12
sharpetronics:2022-11b
sharpetronics:2022-11a
sharpetronics:2022-11
sharpetronics:2022-10a
sharpetronics:2022-10
sharpetronics:2022-09a
sharpetronics:2022-09
sharpetronics:2022-08b
sharpetronics:2022-08a
sharpetronics:2022-08
sharpetronics:2022-07a
sharpetronics:2022-07
sharpetronics:2022-06b
sharpetronics:2022-06a
sharpetronics:2022-06
sharpetronics:2022-05d
sharpetronics:2022-05c
sharpetronics:2022-05b
sharpetronics:2022-05a
sharpetronics:2022-05
sharpetronics:2022-04
sharpetronics:2022-03a
sharpetronics:2022-03
sharpetronics:2022-01a
sharpetronics:2022-01
...
compare: sharpetronics:ec745c3b0697b0681ba3a29e7343c4ebd546f1fd
Branches Tags
sharpetronics:staging
sharpetronics:update/postscreen_access.cidr
sharpetronics:renovate/php-pecl-mail-mailparse-3.x
sharpetronics:weblate-translated
sharpetronics:renovate/tianon-gosu-1.x
sharpetronics:fix/rename-phpsessid
sharpetronics:fix/samesite-cookie
sharpetronics:fix/6740
sharpetronics:fix/6739
sharpetronics:fix/6720
sharpetronics:feat/sogo-url-encryption
sharpetronics:renovate/ghcr.io-mailcow-sogo-1.x
sharpetronics:feat/passwordless-autodiscover
sharpetronics:renovate/composer-composer-2.x
sharpetronics:nightly
sharpetronics:master
sharpetronics:fix/6423
sharpetronics:fix/6135
sharpetronics:6644_clamd-tmp-folder-naming-change
sharpetronics:renovate/krakjoe-apcu-5.x
sharpetronics:feat/dovecot-2.4
sharpetronics:feat/mailcow-adm
sharpetronics:feat/remove-ip6nat
sharpetronics:legacy
sharpetronics:feat/python-bootstrapper
sharpetronics:renovate/alpine-3.x
sharpetronics:dragoangel-patch-1
sharpetronics:feat/valkey
sharpetronics:fix/clean-sasl-log
sharpetronics:feat/forced-pw-update-modal
sharpetronics:feat/mTLS-auth
sharpetronics:feat/ui-improvements
sharpetronics:2025-09b
sharpetronics:2025-09a
sharpetronics:2025-09
sharpetronics:2025-07
sharpetronics:2025-05
sharpetronics:2025-03b
sharpetronics:2025-03a
sharpetronics:2025-03
sharpetronics:2025-02
sharpetronics:2025-01a
sharpetronics:2025-01
sharpetronics:2024-11b
sharpetronics:2024-11a
sharpetronics:2024-11
sharpetronics:2024-08a
sharpetronics:2024-08
sharpetronics:2024-07
sharpetronics:2024-06c
sharpetronics:2024-06b
sharpetronics:2024-06a
sharpetronics:2024-06
sharpetronics:2024-04
sharpetronics:2024-02
sharpetronics:2024-01e
sharpetronics:2024-01d
sharpetronics:2024-01c
sharpetronics:2024-01b
sharpetronics:2024-01a
sharpetronics:2024-01
sharpetronics:2023-12a
sharpetronics:2023-12
sharpetronics:2023-11a
sharpetronics:2023-11
sharpetronics:2023-10a
sharpetronics:2023-10
sharpetronics:2023-09
sharpetronics:2023-08
sharpetronics:2023-07a
sharpetronics:2023-07
sharpetronics:2023-05a
sharpetronics:2023-05
sharpetronics:2023-04b
sharpetronics:2023-04a
sharpetronics:2023-04
sharpetronics:2023-03
sharpetronics:2023-02a
sharpetronics:2023-02
sharpetronics:2023-01a
sharpetronics:2023-01
sharpetronics:2022-12b
sharpetronics:2022-12a
sharpetronics:2022-12
sharpetronics:2022-11b
sharpetronics:2022-11a
sharpetronics:2022-11
sharpetronics:2022-10a
sharpetronics:2022-10
sharpetronics:2022-09a
sharpetronics:2022-09
sharpetronics:2022-08b
sharpetronics:2022-08a
sharpetronics:2022-08
sharpetronics:2022-07a
sharpetronics:2022-07
sharpetronics:2022-06b
sharpetronics:2022-06a
sharpetronics:2022-06
sharpetronics:2022-05d
sharpetronics:2022-05c
sharpetronics:2022-05b
sharpetronics:2022-05a
sharpetronics:2022-05
sharpetronics:2022-04
sharpetronics:2022-03a
sharpetronics:2022-03
sharpetronics:2022-01a
sharpetronics:2022-01

2 Commits
8cd32cb37a ... ec745c3b06

Author SHA1 Message Date
Niklas Fuchs
ec745c3b06
Merge 4e7c69d916b0b05f621aa3d77b0ef8121be3e9f9 into c51a769aecd3e7dff38662d97c72572bf1a5fd74 2025-09-29 19:08:09 +02:00
Niklas Fuchs
4e7c69d916
Add security_opt to prevent new privileges 2025-09-26 08:36:30 +02:00
1 changed files with 36 additions and 0 deletions
Show Stats Expand all files Collapse all files

36
docker-compose.yml
View File

@ -10,6 +10,8 @@ services:
- ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z
restart: always restart: always
tty: true tty: true
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
ipv4_address: ${IPV4_NETWORK:-172.22.1}.254 ipv4_address: ${IPV4_NETWORK:-172.22.1}.254
@ -36,6 +38,8 @@ services:
restart: always restart: always
ports: ports:
- "${SQL_PORT:-127.0.0.1:13306}:3306" - "${SQL_PORT:-127.0.0.1:13306}:3306"
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -58,6 +62,8 @@ services:
- REDISMASTERPASS=${REDISMASTERPASS:-} - REDISMASTERPASS=${REDISMASTERPASS:-}
sysctls: sysctls:
- net.core.somaxconn=4096 - net.core.somaxconn=4096
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
ipv4_address: ${IPV4_NETWORK:-172.22.1}.249 ipv4_address: ${IPV4_NETWORK:-172.22.1}.249
@ -78,6 +84,8 @@ services:
volumes: volumes:
- ./data/conf/clamav/:/etc/clamav/:Z - ./data/conf/clamav/:/etc/clamav/:Z
- clamd-db-vol-1:/var/lib/clamav - clamd-db-vol-1:/var/lib/clamav
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -111,6 +119,8 @@ services:
hostname: rspamd hostname: rspamd
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -194,6 +204,8 @@ services:
ofelia.job-exec.phpfpm_ldap_sync.schedule: "@every 1m" ofelia.job-exec.phpfpm_ldap_sync.schedule: "@every 1m"
ofelia.job-exec.phpfpm_ldap_sync.no-overlap: "true" ofelia.job-exec.phpfpm_ldap_sync.no-overlap: "true"
ofelia.job-exec.phpfpm_ldap_sync.command: "/bin/bash -c \"php /crons/ldap-sync.php || exit 0\"" ofelia.job-exec.phpfpm_ldap_sync.command: "/bin/bash -c \"php /crons/ldap-sync.php || exit 0\""
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -245,6 +257,8 @@ services:
ofelia.job-exec.sogo_backup.schedule: "@every 24h" ofelia.job-exec.sogo_backup.schedule: "@every 24h"
ofelia.job-exec.sogo_backup.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool backup /sogo_backup ALL || exit 0\"" ofelia.job-exec.sogo_backup.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool backup /sogo_backup ALL || exit 0\""
restart: always restart: always
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
ipv4_address: ${IPV4_NETWORK:-172.22.1}.248 ipv4_address: ${IPV4_NETWORK:-172.22.1}.248
@ -332,6 +346,8 @@ services:
nofile: nofile:
soft: 20000 soft: 20000
hard: 40000 hard: 40000
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
ipv4_address: ${IPV4_NETWORK:-172.22.1}.250 ipv4_address: ${IPV4_NETWORK:-172.22.1}.250
@ -375,6 +391,8 @@ services:
restart: always restart: always
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
ipv4_address: ${IPV4_NETWORK:-172.22.1}.253 ipv4_address: ${IPV4_NETWORK:-172.22.1}.253
@ -398,6 +416,8 @@ services:
restart: always restart: always
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -408,6 +428,8 @@ services:
restart: always restart: always
environment: environment:
- TZ=${TZ} - TZ=${TZ}
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -454,6 +476,8 @@ services:
- "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
- "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
restart: always restart: always
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -496,6 +520,8 @@ services:
- ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
- mysql-socket-vol-1:/var/run/mysqld/:z - mysql-socket-vol-1:/var/run/mysqld/:z
restart: always restart: always
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -520,6 +546,8 @@ services:
network_mode: "host" network_mode: "host"
volumes: volumes:
- /lib/modules:/lib/modules:ro - /lib/modules:/lib/modules:ro
security_opt:
- no-new-privileges:true
watchdog-mailcow: watchdog-mailcow:
image: ghcr.io/mailcow/watchdog:2.09 image: ghcr.io/mailcow/watchdog:2.09
@ -591,6 +619,8 @@ services:
- MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20} - MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20}
- MAILQ_CRIT=${MAILQ_CRIT:-30} - MAILQ_CRIT=${MAILQ_CRIT:-30}
- DEV_MODE=${DEV_MODE:-n} - DEV_MODE=${DEV_MODE:-n}
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -611,6 +641,8 @@ services:
- REDISPASS=${REDISPASS} - REDISPASS=${REDISPASS}
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -630,6 +662,8 @@ services:
- OLEFY_MINLENGTH=500 - OLEFY_MINLENGTH=500
- OLEFY_DEL_TMP=1 - OLEFY_DEL_TMP=1
- SKIP_OLEFY=${SKIP_OLEFY:-n} - SKIP_OLEFY=${SKIP_OLEFY:-n}
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -651,6 +685,8 @@ services:
- label=disable - label=disable
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
security_opt:
- no-new-privileges:true
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases: