diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 7f4f1fcb..08d234bf 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -67,7 +67,7 @@ get_ipv4(){
   local IPV4_SRCS=
   local TRY=
   IPV4_SRCS[0]="api.ipify.org"
-  IPV4_SRCS[1]="ifconfig.co"-
+  IPV4_SRCS[1]="ifconfig.co"
   IPV4_SRCS[2]="icanhazip.com"
   IPV4_SRCS[3]="v4.ident.me"
   IPV4_SRCS[4]="ipecho.net/plain"
@@ -153,6 +153,19 @@ while true; do
   IPV6=$(get_ipv6)
   log_f "OK" no_date
 
+  # Hard-fail on CAA errors for MAILCOW_HOSTNAME
+  MH_PARENT_DOMAIN=$(echo ${MAILCOW_HOSTNAME} | cut -d. -f2-)
+  MH_CAAS=( $(dig CAA ${MH_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
+  if [[ ! -z ${MH_CAAS} ]]; then
+    if [[ ${MH_CAAS[@]} =~ "letsencrypt.org" ]]; then
+      echo "Validated CAA for parent domain ${MH_PARENT_DOMAIN}"
+    else
+      echo "Skipping ACME validation: Lets Encrypt disallowed for ${MAILCOW_HOSTNAME} by CAA record, retrying in 1h..."
+      sleep 1h
+      exec $(readlink -f "$0")
+    fi
+  fi
+
   # Container ids may have changed
   CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
 
@@ -249,6 +262,17 @@ while true; do
   fi
 
   for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
+    # Skip on CAA errors for SAN
+    SAN_PARENT_DOMAIN=$(echo ${SAN} | cut -d. -f2-)
+    SAN_CAAS=( $(dig CAA ${SAN_PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
+    if [[ ! -z ${SAN_CAAS} ]]; then
+      if [[ ${SAN_CAAS[@]} =~ "letsencrypt.org" ]]; then
+        echo "Validated CAA for parent domain ${SAN_PARENT_DOMAIN} of ${SAN}"
+      else
+        echo "Skipping ACME validation for ${SAN}: Lets Encrypt disallowed for ${SAN} by CAA record"
+        continue
+      fi
+    fi
     if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
       continue
     fi
diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh
index 76a6b79b..ba1cee85 100755
--- a/data/Dockerfiles/clamd/bootstrap.sh
+++ b/data/Dockerfiles/clamd/bootstrap.sh
@@ -14,6 +14,10 @@ chown root:tty /dev/console
 chmod g+rw /dev/console
 
 # Prepare
+[[ ! -f /var/lib/clamav/whitelist.ign2 ]] && touch /var/lib/clamav/whitelist.ign2
+dos2unix /var/lib/clamav/whitelist.ign2
+sed -i '/^\s*$/d' /var/lib/clamav/whitelist.ign2
+
 BACKGROUND_TASKS=()
 
 (