diff --git a/cmdeploy/src/cmdeploy/cmdeploy.py b/cmdeploy/src/cmdeploy/cmdeploy.py
index 78b6ad02..2eea6546 100644
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -99,7 +99,11 @@ def run_cmd(args, out):
     deploy_path = importlib.resources.files(__package__).joinpath("deploy.py").resolve()
     pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
     ssh_host = args.config.mail_domain if not args.ssh_host else args.ssh_host
+
     cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
+    if sshexec == "localhost":
+        cmd = f"{pyinf} @local {deploy_path} -y"
+
     if version.parse(pyinfra.__version__) < version.parse("3"):
         out.red("Please re-run scripts/initenv.sh to update pyinfra to version 3.")
         return 1
@@ -362,6 +366,9 @@ def main(args=None):
 
     def get_sshexec():
         host = args.ssh_host if hasattr(args, "ssh_host") and args.ssh_host else args.config.mail_domain
+        if host in [ "@local", "localhost" ]:
+            return "localhost"
+        
         print(f"[ssh] login to {host}")
         return SSHExec(host, verbose=args.verbose)
 
diff --git a/docker/chatmail_relay.dockerfile b/docker/chatmail_relay.dockerfile
index 72c4a042..3ec5f81e 100644
--- a/docker/chatmail_relay.dockerfile
+++ b/docker/chatmail_relay.dockerfile
@@ -18,8 +18,6 @@ RUN echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommend && \
 
 RUN apt-get update && \
     apt-get install -y \
-        openssh-client \
-        openssh-server \
         git \
         python3 \
         python3-venv \
@@ -54,23 +52,6 @@ RUN apt-get update && \
     done \
     && rm -rf /var/lib/apt/lists/*
 
-RUN systemctl enable \
-        ssh \
-        fcgiwrap
-
-RUN sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config && \
-    sed -i 's/^#PermitRootLogin .*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config && \
-    ssh-keygen -P "" -t rsa -b 2048 -f /root/.ssh/id_rsa && \
-    mkdir -p /root/.ssh && \
-    cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys && \
-    SSH_USER_CONFIG="/root/.ssh/config" && \
-    echo "Host localhost" >  "$SSH_USER_CONFIG" && \
-    echo "    HostName localhost" >>  "$SSH_USER_CONFIG" && \
-    echo "    User root" >>  "$SSH_USER_CONFIG" && \
-    echo "    StrictHostKeyChecking no" >>  "$SSH_USER_CONFIG" && \
-    echo "    UserKnownHostsFile /dev/null" >>  "$SSH_USER_CONFIG"
-    ## TODO: deny access for all insteed root form 127.0.0.1 https://unix.stackexchange.com/a/406264
-
 WORKDIR /opt/chatmail
 
 ARG SETUP_CHATMAIL_SERVICE_PATH=/lib/systemd/system/setup_chatmail.service
diff --git a/docker/files/setup_chatmail_docker.sh b/docker/files/setup_chatmail_docker.sh
index 50f1e4ca..64d7af36 100755
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -70,7 +70,7 @@ fi
 ./scripts/cmdeploy init --config "${INI_FILE}" $INI_CMD_ARGS $MAIL_DOMAIN
 bash /update_ini.sh
 
-./scripts/cmdeploy run --ssh-host localhost --skip-dns-check
+./scripts/cmdeploy run --ssh-host @local --skip-dns-check
 
 echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald