diff --git a/docker-compose-imaptest.yml b/docker-compose-imaptest.yml
index 88924e3..a6f91a2 100644
--- a/docker-compose-imaptest.yml
+++ b/docker-compose-imaptest.yml
@@ -1,13 +1,12 @@
-version: '3.7'
 services:
   mox:
     build:
       context: .
       dockerfile: Dockerfile.moximaptest
     volumes:
-      - ./testdata/imaptest/config:/mox/config
-      - ./testdata/imaptest/data:/mox/data
-      - ./testdata/imaptest/imaptest.mbox:/mox/imaptest.mbox
+      - ./testdata/imaptest/config:/mox/config:z
+      - ./testdata/imaptest/data:/mox/data:z
+      - ./testdata/imaptest/imaptest.mbox:/mox/imaptest.mbox:z
     working_dir: /mox
     tty: true # For job control with set -m.
     command: sh -c 'set -m; mox serve & sleep 1; echo testtest | mox setaccountpassword mjl; fg'
@@ -24,7 +23,7 @@ services:
     command: host=mox port=1143 'user=mjl@mox.example' pass=testtest mbox=/imaptest/imaptest.mbox
     working_dir: /imaptest
     volumes:
-      - ./testdata/imaptest:/imaptest
+      - ./testdata/imaptest:/imaptest:z
     depends_on:
       mox:
         condition: service_healthy
diff --git a/docker-compose-integration.yml b/docker-compose-integration.yml
index 53e95fc..339de22 100644
--- a/docker-compose-integration.yml
+++ b/docker-compose-integration.yml
@@ -1,4 +1,3 @@
-version: '3.7'
 services:
   # We run integration_test.go from this container, it connects to the other mox instances.
   test:
@@ -9,11 +8,11 @@ services:
     # dials in integration_test.go succeed.
     command: ["sh", "-c", "set -ex; cat /integration/tmp-pebble-ca.pem /integration/tls/ca.pem >>/etc/ssl/certs/ca-certificates.crt; go test -tags integration"]
     volumes:
-      - ./.go:/.go
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
-      - ./testdata/integration/moxsubmit.conf:/etc/moxsubmit.conf
-      - .:/mox
+      - ./.go:/.go:z
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
+      - ./testdata/integration/moxsubmit.conf:/etc/moxsubmit.conf:z
+      - .:/mox:z
     environment:
       GOCACHE: /.go/.cache/go-build
     depends_on:
@@ -41,8 +40,8 @@ services:
       MOX_UID: "${MOX_UID}"
     command: ["sh", "-c", "/integration/moxacmepebble.sh"]
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     healthcheck:
       test: netstat -nlt | grep ':25 '
       interval: 1s
@@ -66,8 +65,8 @@ services:
       MOX_UID: "${MOX_UID}"
     command: ["sh", "-c", "/integration/moxmail2.sh"]
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     healthcheck:
       test: netstat -nlt | grep ':25 '
       interval: 1s
@@ -94,8 +93,8 @@ services:
       MOX_UID: "${MOX_UID}"
     command: ["sh", "-c", "/integration/moxacmepebblealpn.sh"]
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     healthcheck:
       test: netstat -nlt | grep ':25 '
       interval: 1s
@@ -116,9 +115,9 @@ services:
     image: mox_integration_moxmail
     command: ["sh", "-c", "set -e; chmod o+r /etc/resolv.conf; mox -checkconsistency localserve -ip 172.28.1.60"]
     volumes:
-      - ./.go:/.go
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - .:/mox
+      - ./.go:/.go:z
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - .:/mox:z
     environment:
       GOCACHE: /.go/.cache/go-build
     healthcheck:
@@ -141,7 +140,7 @@ services:
       context: testdata/integration
     volumes:
       # todo: figure out how to mount files with a uid that the process in the container can read...
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
     command: ["sh", "-c", "set -e; chmod o+r /etc/resolv.conf; (echo 'maillog_file = /dev/stdout'; echo 'mydestination = $$myhostname, localhost.$$mydomain, localhost, $$mydomain'; echo 'smtp_tls_security_level = may') >>/etc/postfix/main.cf; echo 'root: postfix@mox1.example' >>/etc/postfix/aliases; newaliases; postfix start-fg"]
     healthcheck:
       test: netstat -nlt | grep ':25 '
@@ -162,8 +161,8 @@ services:
       # todo: figure out how to build from dockerfile with empty context without creating empty dirs in file system.
       context: testdata/integration
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     # We start with a base example.zone, but moxacmepebble appends its records,
     # followed by moxmail2. They restart unbound after appending records.
     command: ["sh", "-c", "set -ex; ls -l /etc/resolv.conf; chmod o+r /etc/resolv.conf; install -m 640 -o unbound /integration/unbound.conf /etc/unbound/; chmod 755 /integration; chmod 644 /integration/*.zone; cp /integration/example.zone /integration/example-integration.zone; ls -ld /integration /integration/reverse.zone; unbound -d -p -v"]
@@ -183,8 +182,8 @@ services:
     hostname: acmepebble.example
     image: docker.io/letsencrypt/pebble:v2.3.1@sha256:fc5a537bf8fbc7cc63aa24ec3142283aa9b6ba54529f86eb8ff31fbde7c5b258
     volumes:
-      - ./testdata/integration/resolv.conf:/etc/resolv.conf
-      - ./testdata/integration:/integration
+      - ./testdata/integration/resolv.conf:/etc/resolv.conf:z
+      - ./testdata/integration:/integration:z
     command: ["sh", "-c", "set -ex; mount; ls -l /etc/resolv.conf; chmod o+r /etc/resolv.conf; pebble -config /integration/pebble-config.json"]
     ports:
       - 14000:14000  # ACME port
diff --git a/docker-compose.yml b/docker-compose.yml
index 9d72227..86e9ee6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,7 +27,6 @@
 # The -ip flag ensures connections to the published ports make it to mox, and it
 # prevents listening on ::1 (IPv6 is not enabled in docker by default).
 
-version: '3.7'
 services:
   mox:
     # Replace "latest" with the version you want to run, see https://r.xmox.nl/r/mox/.
@@ -39,11 +38,11 @@ services:
     # machine, and the IPs of incoming connections for spam filtering.
     network_mode: 'host'
     volumes:
-      - ./config:/mox/config
-      - ./data:/mox/data
+      - ./config:/mox/config:z
+      - ./data:/mox/data:z
       # web is optional but recommended to bind in, useful for serving static files with
       # the webserver.
-      - ./web:/mox/web
+      - ./web:/mox/web:z
     working_dir: /mox
     restart: on-failure
     healthcheck: