From 33349065b542be3137f0975c37e8384cc2654f5c Mon Sep 17 00:00:00 2001
From: Vilgot Fredenberg <vilgot@fredenberg.xyz>
Date: Sat, 11 Apr 2020 14:34:50 +0200
Subject: [PATCH 1/3] Harden default configuration

---
 setup/flavors/compose/docker-compose.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/setup/flavors/compose/docker-compose.yml b/setup/flavors/compose/docker-compose.yml
index f8a428bd..3fbfb862 100644
--- a/setup/flavors/compose/docker-compose.yml
+++ b/setup/flavors/compose/docker-compose.yml
@@ -32,7 +32,7 @@ services:
     {% endfor %}
     volumes:
       - "{{ root }}/certs:/certs"
-      - "{{ root }}/overrides/nginx:/overrides"
+      - "{{ root }}/overrides/nginx:/overrides:ro"
 
   {% if resolver_enabled %}
   resolver:
@@ -64,7 +64,7 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/mail:/mail"
-      - "{{ root }}/overrides:/overrides"
+      - "{{ root }}/overrides/dovecot:/overrides:ro"
     depends_on:
       - front
 
@@ -74,7 +74,7 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/mailqueue:/queue"
-      - "{{ root }}/overrides:/overrides"
+      - "{{ root }}/overrides/postfix:/overrides:ro"
     depends_on:
       - front
     {% if resolver_enabled %}
@@ -89,8 +89,8 @@ services:
     env_file: {{ env }}
     volumes:
       - "{{ root }}/filter:/var/lib/rspamd"
-      - "{{ root }}/dkim:/dkim"
-      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d"
+      - "{{ root }}/dkim:/dkim:ro"
+      - "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
     depends_on:
       - front
     {% if resolver_enabled %}

From 19afa8b270449eb337ae8353e2cc535cff6d9ce3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Fri, 1 May 2020 15:21:42 +0300
Subject: [PATCH 2/3] Docs: Add move of override files to release notes

---
 docs/releases.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/releases.rst b/docs/releases.rst
index 5fdf1a8f..3d50c285 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -1,6 +1,15 @@
 Release notes
 =============
 
+Mailu 1.8 - tbd
+----------------------
+
+Override location changes
+`````````````````````````
+
+If you have regenerated the Docker compose and environment files, there are some changes to the configuration overrides.
+Override files are now mounted read-only into the containers. The Dovecot and Postfix overrides are moved in their own sub-directory. If there are local override files, they will need to be moved from ``overrides/`` to ``overrides/dovecot`` and ``overrides/postfix/``.
+
 Mailu 1.7 - 2019-08-22
 ----------------------
 

From 522fd991624b504f4956b4d86dcee1de73bc1996 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <muhlemmer@gmail.com>
Date: Fri, 1 May 2020 15:26:07 +0300
Subject: [PATCH 3/3] Create 1444.misc

---
 towncrier/newsfragments/1444.misc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1444.misc

diff --git a/towncrier/newsfragments/1444.misc b/towncrier/newsfragments/1444.misc
new file mode 100644
index 00000000..82b18215
--- /dev/null
+++ b/towncrier/newsfragments/1444.misc
@@ -0,0 +1 @@
+Harden security by making certain configuration files read-only. Moves Postfix and Dovecot overrides an independed sub-directories.