diff --git a/docker-compose.yaml b/docker-compose.yaml
index 0678014e..167a681f 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -32,8 +32,6 @@ services:
         max-file: "3"
     environment:
       MAIL_DOMAIN: $MAIL_DOMAIN
-      CHATMAIL_NOSYSCTL: ${CHATMAIL_NOSYSCTL:-True}
-      CHATMAIL_NOPORTCHECK: ${CHATMAIL_NOPORTCHECK:-True}
     network_mode: "host"
     volumes:
       ## system (required)
diff --git a/docker/files/entrypoint.sh b/docker/files/entrypoint.sh
index a1fdddd4..e7629587 100755
--- a/docker/files/entrypoint.sh
+++ b/docker/files/entrypoint.sh
@@ -6,7 +6,7 @@ SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/
 # Whitelist only the env vars needed by setup_chatmail_docker.sh.
 # Forwarding all env vars (via printenv) would leak Docker internals,
 # orchestrator secrets, and other unrelated variables into systemd.
-env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK TLS_EXTERNAL_CERT_AND_KEY PATH"
+env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI TLS_EXTERNAL_CERT_AND_KEY PATH"
 sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"
 
 exec /lib/systemd/systemd "$@"
diff --git a/docker/files/setup_chatmail_docker.sh b/docker/files/setup_chatmail_docker.sh
index 54226454..1fc66fd5 100755
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -2,6 +2,8 @@
 
 set -euo pipefail
 export CHATMAIL_INI="${CHATMAIL_INI:-/etc/chatmail/chatmail.ini}"
+export CHATMAIL_NOSYSCTL=True
+export CHATMAIL_NOPORTCHECK=True
 
 CMDEPLOY=/opt/cmdeploy/bin/cmdeploy