From 85ee7dbeb5f013104a7412ca0cbfb6768fd4f6ab Mon Sep 17 00:00:00 2001
From: j4n <j4n@systemli.org>
Date: Mon, 16 Feb 2026 20:08:25 +0100
Subject: [PATCH] docker: document security implications of host networking +
 cgroups

---
 docker-compose.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docker-compose.yaml b/docker-compose.yaml
index 72e92098..d2a43c7d 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,4 +1,10 @@
 # Copy docker/example.env to .env and set MAIL_DOMAIN before starting.
+#
+# Security note: this container uses network_mode:host (chatmail needs many
+# ports: 25, 53, 80, 143, 443, 465, 587, 993, 3340, 8443) and cgroup:host
+# (required for systemd). Together these give the container near-host-level
+# access. This is acceptable for a dedicated mail server, but be aware that
+# the container can bind any port and see all host network traffic.
 services:
   chatmail:
     build: