diff --git a/docs/releases.rst b/docs/releases.rst
index 5fdf1a8f..3d50c285 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -1,6 +1,15 @@
 Release notes
 =============
 
+Mailu 1.8 - tbd
+----------------------
+
+Override location changes
+`````````````````````````
+
+If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
+Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
+
 Mailu 1.7 - 2019-08-22
 ----------------------
 
diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index f8a428bd..3fbfb862 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -32,7 +32,7 @@ services:
     {% endfor %}
     volumes:
       - "{{ root }}/certs:/certs"
-      - "{{ root }}/overrides/nginx:/overrides"
+      - "{{ root }}/overrides/nginx:/overrides:ro"
 
   {% if resolver_enabled %}
   resolver:
@@ -64,7 +64,7 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/mail:/mail"
-      - "{{ root }}/overrides:/overrides"
+      - "{{ root }}/overrides/dovecot:/overrides:ro"
     depends_on:
       - front
 
@@ -74,7 +74,7 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/mailqueue:/queue"
-      - "{{ root }}/overrides:/overrides"
+      - "{{ root }}/overrides/postfix:/overrides:ro"
     depends_on:
       - front
     {% if resolver_enabled %}
@@ -89,8 +89,8 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim"
-      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
+      - "{{ root }}/dkim:/dkim:ro"
+      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     depends_on:
       - front
     {% if resolver_enabled %}
diff --git a/towncrier/newsfragments/1444.misc b/towncrier/newsfragments/1444.misc
new file mode 100644
index 00000000..82b18215
--- /dev/null
+++ b/towncrier/newsfragments/1444.misc
@@ -0,0 +1 @@
+Harden security by making certain configuration files read-only. Moves Postfix and Dovecot overrides an independed sub-directories.