These changes can break services if applied blindly. Test in staging before production.
Example for selected services:
# docker-compose.override.yml
services:
dovecot-mailcow:
read_only: true
tmpfs:
- /tmp
- /run
- /var/lib/dovecot
rspamd-mailcow:
read_only: true
tmpfs:
- /tmp
- /run
Prevent resource exhaustion:
# docker-compose.override.yml
services:
clamav-mailcow:
deploy:
resources:
limits:
memory: 2G
cpus: '2.0'
dovecot-mailcow:
deploy:
resources:
limits:
memory: 2G
cpus: '2.0'
rspamd-mailcow:
deploy:
resources:
limits:
memory: 1G
cpus: '1.0'
Reduce container privileges:
# docker-compose.override.yml
services:
postfix-mailcow:
cap_drop:
- NET_RAW
- SYS_ADMIN
dovecot-mailcow:
cap_drop:
- NET_RAW
Add safer defaults:
# docker-compose.override.yml
services:
dovecot-mailcow:
security_opt:
- no-new-privileges:true
rspamd-mailcow:
security_opt:
- no-new-privileges:true