Commit graph

4 commits

Author SHA1 Message Date
Slavi Pantaleev 299a8c4c7c Make (most) containers start as non-root
This makes all containers (except mautrix-telegram and
mautrix-whatsapp), start as a non-root user.

We do this, because we don't trust some of the images.
In any case, we'd rather not trust ALL images and avoid giving
`root` access at all. We can't be sure they would drop privileges
or what they might do before they do it.

Because Postfix doesn't support running as non-root,
it had to be replaced by an Exim mail server.

The matrix-nginx-proxy nginx container image is patched up
(by replacing its main configuration) so that it can work as non-root.
It seems like there's no other good image that we can use and that is up-to-date
(https://hub.docker.com/r/nginxinc/nginx-unprivileged is outdated).

Likewise for riot-web (https://hub.docker.com/r/bubuntux/riot-web/),
we patch it up ourselves when starting (replacing the main nginx
configuration).
Ideally, it would be fixed upstream so we can simplify.
2019-01-27 20:25:13 +02:00
Slavi Pantaleev 4fd8b66b6e Update documentation about email configuration (relayhost brackets)
Relay hostnames that have MX records are looked up by postfix
and the MX record's payload is used instead.

This special behavior may be undesirable, so we make sure to
point it out.
2018-12-13 16:32:10 +09:00
Slavi Pantaleev 2b2409bf1e Update documentation about email configuration
This makes it explicit that outgoing traffic (25/587) needs
to be let through, as well as documenting how to debug
other non-delivery issues.
2018-12-13 15:19:01 +09:00
Slavi Pantaleev 21da2f572b Add email-sending support 2018-08-14 14:47:44 +03:00