After upgrade, Waiting for database to come up...

RaVoR

mlcwuser Great summary. 🙂

I normally use debian as well, but for something heavily exposed like a mail server, I wanted the extra security, so I’ve opted especially for a distribution with SELinux and container ruleset (debian unfortunately lacks the latter). I had to install it from scratch as my mailcow is not running at home, but on a vServer and my provider does not provide RockyLinux by default…

At the end, it always boils down to “what are you using it for”. In my case, the mail server powers my own company as well as some other small companies, which heavily rely on their mails. So the system is regarded critical. 🙂

poandlsl

Thanks to @RaVoR ’s discovery that differences in the SELinux labels applied to containers was causing the issue, I was able to work around the issue by ensuring that all containers that share the mysql-socket-vol volume are created with the same MLS label. After doing this, I am able to successfully run Mailcow with SELinux in Enforcing mode with the latest docker-ce package.

To do this, create a docker-compose.override.yml to add the same MLS label to the containers that share the mysql socket volume. Pick a sensitivity and categories that fit your security threat model.

e.g.

services:

  mysql-mailcow:
    security_opt:
      - label:level:s0:c100,c200

  php-fpm-mailcow:
    security_opt:
      - label:level:s0:c100,c200

  sogo-mailcow:
    security_opt:
      - label:level:s0:c100,c200

  dovecot-mailcow:
    security_opt:
      - label:level:s0:c100,c200

  postfix-mailcow:
    security_opt:
      - label:level:s0:c100,c200

  acme-mailcow:
    security_opt:
      - label:level:s0:c100,c200

  watchdog-mailcow:
    security_opt:
      - label:level:s0:c100,c200

« Previous Page