// Archive
Tag: selfhosted
YARA malware scanning in Rspamd: unwrap malicious mail
YARA malware scanning in Rspamd unpacks OLE, VBA, PDFs and nested attachments before detection rules inspect the dangerous bits.
DCC, Razor and Pyzor for Rspamd: One Docker Backend
Run DCC, Razor and Pyzor for rspamd from one token-authed Docker backend that never blocks the scanner and never writes your mail to disk. Here is how the shim works and why it looks the way it does.
Hardened Roundcube Docker: The Webmail Container That Trusts Nobody
Our hardened Roundcube Docker image runs as nobody, can chown nothing, and treats every request as hostile. Here is the full unprivileged + WAF security model — and why default webmail containers are a liability.
ViMbAdmin: The Postfix + Dovecot Mailbox Admin Panel (Modernised for PHP 8.5)
Your mailbox table deserves better than raw SQL at 02:00. ViMbAdmin — modernised for PHP 8.5 — manages Postfix + Dovecot virtual domains, mailboxes and aliases via web UI or JSON-RPC API, with TOTP, brute-force protection and a hardened Docker image.
Docker Hardening for Self-Hosters: Rootless, Read-Only, Cap-Drop, Distroless (2026 Guide)
Default Docker is barely a container at all — root, mutable, all caps, shared kernel. This is the ten-flag hardening checklist that turns it into something a real attacker has to work to break: rootless, read-only, cap-drop, no-new-privileges, distroless, secrets, segmentation, scanning. With a worked NGINX + PHP-FPM compose example.
Self-Hosted Vaultwarden: Docker Setup, Clients & Full Guide
Run your own password manager with self-hosted Vaultwarden — a tiny Docker image, full Bitwarden client compatibility, and total control over your encrypted vault.