This commit is contained in:
github-actions[bot] 2021-06-19 10:33:59 +00:00
parent e58cba57cc
commit 036bcaef3f
3 changed files with 88 additions and 96 deletions

View file

@ -73,7 +73,7 @@
<div data-md-component="skip">
<a href="#basic-setup" class="md-skip">
<a href="#single-encryption-key-global-method" class="md-skip">
Skip to content
</a>
@ -648,8 +648,8 @@
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#basic-setup" class="md-nav__link">
Basic Setup
<a href="#single-encryption-key-global-method" class="md-nav__link">
Single Encryption Key / Global Method
</a>
</li>
@ -1256,8 +1256,8 @@
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#basic-setup" class="md-nav__link">
Basic Setup
<a href="#single-encryption-key-global-method" class="md-nav__link">
Single Encryption Key / Global Method
</a>
</li>
@ -1289,62 +1289,54 @@
</div>
<p>Official Dovecot documentation: <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a></p>
<hr />
<h2 id="basic-setup"><a class="toclink" href="#basic-setup">Basic Setup</a></h2>
<h2 id="single-encryption-key-global-method"><a class="toclink" href="#single-encryption-key-global-method">Single Encryption Key / Global Method</a></h2>
<ol>
<li>Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
<div class="highlight"><pre><span></span><code>mkdir -p config/dovecot
docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
docker-compose down
</code></pre></div></li>
<li>You then need to <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key">generate your global EC key</a>.</li>
<li>The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
<div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
<span class="nt">mailserver</span><span class="p">:</span>
<span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
<span class="nt">volumes</span><span class="p">:</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
<span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
</code></pre></div></li>
<li>While you're editing the docker-compose.yml, add the configuration files you copied out:
<div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
<span class="nt">mailserver</span><span class="p">:</span>
<span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
<span class="nt">volumes</span><span class="p">:</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
<span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf</span>
<span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf</span>
<span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf</span>
<span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
</code></pre></div></li>
<li>The <code>mail_crypt</code> plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both <code>lmtp</code> and <code>imap</code>. You'll want to edit three different files:<ul>
<li><code>./config/dovecot/20-lmtp.conf</code>
<div class="highlight"><pre><span></span><code>protocol lmtp {
mail_plugins = $mail_plugins sieve mail_crypt
plugin {
<li>
<p>Create <code>10-custom.conf</code> and populate it with the following:</p>
<div class="highlight"><pre><span></span><code># Enables mail_crypt for all services (imap, pop3, etc)
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_global_private_key = &lt;/certs/ecprivkey.pem
mail_crypt_global_public_key = &lt;/certs/ecpubkey.pem
mail_crypt_save_version = 2
}
}
</code></pre></div></li>
<li><code>./config/dovecot/20-imap.conf</code>
<div class="highlight"><pre><span></span><code>protocol imap {
mail_plugins = $mail_plugins imap_quota mail_crypt
plugin {
mail_crypt_global_private_key = &lt;/certs/ecprivkey.pem
mail_crypt_global_public_key = &lt;/certs/ecpubkey.pem
mail_crypt_save_version = 2
}
}
</code></pre></div></li>
<li>If you use pop3, make the same changes in <code>20-pop3.conf</code></li>
</ul>
</code></pre></div>
</li>
<li>
<p>Shutdown your mailserver (<code>docker-compose down</code>)</p>
</li>
<li>
<p>You then need to <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key">generate your global EC key</a>. We named them <code>/certs/ecprivkey.pem</code> and <code>/certs/ecpubkey.pem</code> in step #1.</p>
</li>
<li>
<p>The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
<div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
<span class="nt">mailserver</span><span class="p">:</span>
<span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
<span class="nt">volumes</span><span class="p">:</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
<span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
</code></pre></div></p>
</li>
<li>
<p>While you're editing the <code>docker-compose.yml</code>, add the configuration file:
<div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
<span class="nt">mailserver</span><span class="p">:</span>
<span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
<span class="nt">volumes</span><span class="p">:</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
<span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf</span>
<span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
<span class="l l-Scalar l-Scalar-Plain">. . .</span>
</code></pre></div></p>
</li>
<li>
<p>Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
<div class="highlight"><pre><span></span><code>[root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
T<EFBFBD>9<EFBFBD>8t<EFBFBD>6<EFBFBD><EFBFBD> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
</code></pre></div></p>
</li>
<li>Start the container and monitor the logs for any errors</li>
</ol>
<p>This should be the minimum required for encryption of the mail while in storage.</p>

File diff suppressed because one or more lines are too long

View file

@ -2,187 +2,187 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/faq/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/introduction/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/pop3/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/setup.sh/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/auth-ldap/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/full-text-search/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/ipv6/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/kubernetes/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/mail-fetchmail/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/mail-sieve/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/optional-config/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/mail-forwarding/aws-ses/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/mail-forwarding/relay-hosts/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/maintenance/update-and-cleanup/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/override-defaults/dovecot/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/override-defaults/postfix/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/override-defaults/user-patches/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/autodiscover/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dkim/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dmarc/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/spf/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/security/fail2ban/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/security/mail_crypt/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/security/ssl/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/security/understanding-the-ports/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/troubleshooting/debugging/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/accounts/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/config/user-management/aliases/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/contributing/coding-style/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/contributing/documentation/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/contributing/issues-and-pull-requests/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/contributing/tests/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/basic-installation/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/mailserver-behind-proxy/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://docker-mailserver.github.io/docker-mailserver/edge/examples/uses-cases/forward-only-mailserver-with-ldap-authentication/</loc>
<lastmod>2021-06-16</lastmod>
<lastmod>2021-06-19</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>