config: use custom docker-mailserver-gui image in secure-stack compose#20
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the mailserver image in the docker-compose configuration to a version that includes a GUI. Feedback indicates that this change undermines the project's security model by increasing the attack surface and creating redundancy with existing services. Additionally, it is recommended to pin the Docker image to a specific version tag rather than using ':latest' to ensure deterministic and stable deployments.
| services: | ||
| mailserver: | ||
| image: mailserver/docker-mailserver:latest | ||
| image: webyhomelab/docker-mailserver-gui:latest |
There was a problem hiding this comment.
The switch to the webyhomelab/docker-mailserver-gui image contradicts the security model described in the README.md (line 9), which states that the core mail server remains 'completely unmodified and isolated'. The new image, along with the Traefik labels (lines 33-37), suggests that a web interface is now running directly within the mail server container. This increases the attack surface and creates redundancy with the existing webmail service (SnappyMail) defined on line 39. This change undermines the 'Zero Trust' and isolation principles of the stack.
| services: | ||
| mailserver: | ||
| image: mailserver/docker-mailserver:latest | ||
| image: webyhomelab/docker-mailserver-gui:latest |
There was a problem hiding this comment.
Using the :latest tag for Docker images is discouraged in production-ready configurations. It makes deployments non-deterministic and can lead to unexpected failures when the image is updated. It is recommended to pin the image to a specific version tag.
1 participant
This PR updates the secure-stack docker-compose.yml configuration to deploy the project's own custom webyhomelab/docker-mailserver-gui image instead of the upstream official image.