From 0b8521300b35b36c667ce02fbb491ba9dbfd03ac Mon Sep 17 00:00:00 2001
From: j4n <j4n@systemli.org>
Date: Mon, 23 Feb 2026 09:30:00 +0100
Subject: [PATCH] docker: expand security notice

---
 docker-compose.yaml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yaml b/docker-compose.yaml
index 686a59e4..e29abaf9 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -2,11 +2,15 @@
 # volumes, env overrides) in docker-compose.override.yaml instead.
 # See docker/docker-compose.override.yaml.example for a starting point.
 #
-# Security note: this container uses network_mode:host (chatmail needs many
-# ports: 25, 53, 80, 143, 443, 465, 587, 993, 3340, 8443) and cgroup:host
-# (required for systemd). Together these give the container near-host-level
-# access. This is acceptable for a dedicated mail server, but be aware that
-# the container can bind any port and see all host network traffic.
+# Security notes: this container uses 
+#  - network_mode:host chatmail needs many ports (25, 53, 80, 143, 443, 465,
+#  587, 993, 3340, 8443) and needs to operate from the real IP, which bridging
+#  would make tricky
+#  - cgroup:host (required for systemd). 
+#  Together these give the container near-host-level access. This is acceptable
+#  for a dedicated mail server, but be aware that the container can bind any
+#  port and see all host network traffic.
+
 services:
   chatmail:
     build: