Release v0.9.6#18
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project documentation, including the addition of an interface preview, a legal disclaimer, and enhanced security audit descriptions. Key feedback points out that the referenced images and GitHub Action workflow files are missing from the repository. Additionally, concerns were raised regarding security risks in the dms-cert-dumper implementation and potential permission issues with the SnappyMail data persistence configuration.
| <img src="docker-mailserver-gui-1.png" alt="Docker Mailserver GUI - Webmail Login Screen" width="48%"> | ||
| <img src="docker-mailserver-gui-2.png" alt="Docker Mailserver GUI - Mailbox Inbox Interface" width="48%"> | ||
| </p> | ||
| <p align="center"> | ||
| <img src="docker-mailserver-gui-3.png" alt="Docker Mailserver GUI - Email Composition View" width="48%"> | ||
| <img src="docker-mailserver-gui-4.png" alt="Docker Mailserver GUI - Settings and Account Configuration" width="48%"> |
There was a problem hiding this comment.
The README.md references four new image files (docker-mailserver-gui-1.png through docker-mailserver-gui-4.png) for the interface preview, but these files are not included in the pull request. This will result in broken images in the documentation. Please ensure the screenshot files are added to the repository.
| - **Docker 29+ Compatibility:** Explicitly configured Traefik with `DOCKER_API_VERSION=1.41` to support modern container engines. | ||
| - **No Hardcoded Passwords:** The Supervisor UNIX socket credentials have been removed to prevent local privilege escalation. | ||
| - **Automatic Sync:** SSL certificates are reloaded automatically by the dumper without stopping the mail server. | ||
| - **Automatic SSL Sync:** SSL certificates are monitored and reloaded automatically by the `dms-cert-dumper` sidecar using a highly robust `alpine:3.18`-based image equipped with `docker-cli`. |
There was a problem hiding this comment.
The description of the dms-cert-dumper sidecar as 'highly robust' and 'equipped with docker-cli' is inaccurate. The current implementation in docker-compose.yml (line 87) performs runtime installation of docker-cli and downloads a binary from GitHub without integrity checks, which is fragile and poses a security risk. Additionally, the sidecar requires mounting /var/run/docker.sock, which is a significant security concern that contradicts the 'Zero Trust' architecture mentioned in the project. It is recommended to use a custom Dockerfile to pre-install dependencies and to investigate more secure ways of reloading the mail server.
| - **No Hardcoded Passwords:** The Supervisor UNIX socket credentials have been removed to prevent local privilege escalation. | ||
| - **Automatic Sync:** SSL certificates are reloaded automatically by the dumper without stopping the mail server. | ||
| - **Automatic SSL Sync:** SSL certificates are monitored and reloaded automatically by the `dms-cert-dumper` sidecar using a highly robust `alpine:3.18`-based image equipped with `docker-cli`. | ||
| - **Persistent Webmail Config:** SnappyMail data is explicitly persisted to `./snappymail-data` on the host, preventing the loss of settings/accounts across restarts. |
There was a problem hiding this comment.
The persistence of SnappyMail data to ./snappymail-data may encounter permission issues. The setup-gui.sh script creates this directory (likely as root), but the webmail service in docker-compose.yml is configured to run with PUID=1000. This will result in 'Permission denied' errors when the container attempts to write to the volume. It is recommended to update the setup scripts to chown the created directories to the appropriate user.
| - **Automatic Sync:** SSL certificates are reloaded automatically by the dumper without stopping the mail server. | ||
| - **Automatic SSL Sync:** SSL certificates are monitored and reloaded automatically by the `dms-cert-dumper` sidecar using a highly robust `alpine:3.18`-based image equipped with `docker-cli`. | ||
| - **Persistent Webmail Config:** SnappyMail data is explicitly persisted to `./snappymail-data` on the host, preventing the loss of settings/accounts across restarts. | ||
| - **Dual Registry Publishing:** Automatic package deployment publishes container images to both GitHub Container Registry (GHCR) and Docker Hub (`webyhomelab/docker-mailserver-gui`). |
There was a problem hiding this comment.
This line mentions 'Dual Registry Publishing' and the PR description states that workflows were updated, but no GitHub Action workflow files are included in this PR. Without these files, the automated publishing and the security scanning mentioned in SECURITY.md (lines 36-37) cannot be verified or executed. Please include the missing workflow configurations.
1 participant
Release v0.9.6 preparation with updated README, SECURITY, workflows, and screenshots.