Tag: selfhosted

YARA malware scanning in Rspamd unpacks OLE, VBA, PDFs and nested attachments before detection rules inspect the dangerous bits.

Run DCC, Razor and Pyzor for rspamd from one token-authed Docker backend that never blocks the scanner and never writes your mail to disk. Here is how the shim works and why it looks the way it does.

Our hardened Roundcube Docker image runs as nobody, can chown nothing, and treats every request as hostile. Here is the full unprivileged + WAF security model — and why default webmail containers are a liability.

Your mailbox table deserves better than raw SQL at 02:00. ViMbAdmin — modernised for PHP 8.5 — manages Postfix + Dovecot virtual domains, mailboxes and aliases via web UI or JSON-RPC API, with TOTP, brute-force protection and a hardened Docker image.

Default Docker is barely a container at all — root, mutable, all caps, shared kernel. This is the ten-flag hardening checklist that turns it into something a real attacker has to work to break: rootless, read-only, cap-drop, no-new-privileges, distroless, secrets, segmentation, scanning. With a worked NGINX + PHP-FPM compose example.

Run your own password manager with self-hosted Vaultwarden — a tiny Docker image, full Bitwarden client compatibility, and total control over your encrypted vault.