📝 Preliminary Checks

• I tried searching for an existing issue and followed the debugging docs advice, but still need assistance.

👀 What Happened?

I recently installed DMS and created one account for myself using setup add email. (v15.0.1 at time of deployment, since upgraded to v15.0.2). I took a peek at my docker-data/dms/config/ and noticed that the password hash file (postfix-accounts.cf) was world-readable:

$ stat config/postfix-accounts.cf 
[...]
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
[...]

Since this is the (hashed) password file, I would have expected it to have restrictive permissions. I have other (unprivileged but not containerized) services running on this machine that shouldn't be allowed to read password hashes.

I manually chmoded it 0640 and restarted DMS with docker compose up --force-recreate and it seems to work still, so I assume it doesn't actually need to be world-readable. If that's true, please consider tweaking the setup tool to create this file root-only (e.g. umask 0027) because that would be a safer default. Thanks!

👟 Reproduction Steps

1. Install DMS as per https://docker-mailserver.github.io/docker-mailserver/latest/usage/
2. docker exec -it mailserver setup add email [email protected]
3. stat ./docker-data/dms/config/postfix-accounts.cf

🐋 DMS Version

v15.0.1

💻 Operating System and Architecture

Debian 12 (bookworm) arm64

⚙️ Container configuration files

📜 Relevant log output