From 9c5d6ad25cd59f6af0b9a599cca472f9b456dbd5 Mon Sep 17 00:00:00 2001
From: Nathan Pierce <NorseGaud@users.noreply.github.com>
Date: Sat, 19 Jun 2021 06:33:30 -0400
Subject: [PATCH] =?UTF-8?q?reworked=20mail=5Fcrypt=20guide=20to=20make=20t?=
 =?UTF-8?q?hings=20way=20more=20simple=20and=20prepare=20=E2=80=A6=20(#204?=
 =?UTF-8?q?3)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
---
 docs/content/config/security/mail_crypt.md | 69 +++++++++-------------
 1 file changed, 29 insertions(+), 40 deletions(-)

diff --git a/docs/content/config/security/mail_crypt.md b/docs/content/config/security/mail_crypt.md
index ce6938ea..7b641ea7 100644
--- a/docs/content/config/security/mail_crypt.md
+++ b/docs/content/config/security/mail_crypt.md
@@ -10,22 +10,31 @@ title: 'Security | mail_crypt (email/storage encryption)'
 
     There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
 
+
+
 Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
 
 ---
 
-## Basic Setup
+## Single Encryption Key / Global Method
+
+1. Create `10-custom.conf` and populate it with the following:
 
-1. Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
-    ```bash
-    mkdir -p config/dovecot
-    docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
-    docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
-    docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
-    docker-compose down
     ```
-2. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key).
-3. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
+    # Enables mail_crypt for all services (imap, pop3, etc)
+    mail_plugins = $mail_plugins mail_crypt
+    plugin {
+      mail_crypt_global_private_key = </certs/ecprivkey.pem
+      mail_crypt_global_public_key = </certs/ecpubkey.pem
+      mail_crypt_save_version = 2
+    }
+    ```
+
+2. Shutdown your mailserver (`docker-compose down`)
+
+3. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.
+
+4. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
     ```yaml
     services:
       mailserver:
@@ -35,43 +44,23 @@ Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mai
           - ./certs/:/certs
         . . .
     ```
-4. While you're editing the docker-compose.yml, add the configuration files you copied out:
+
+5. While you're editing the `docker-compose.yml`, add the configuration file:
     ```yaml
     services:
       mailserver:
         image: docker.io/mailserver/docker-mailserver:latest
         volumes:
         . . .
-          - ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf
-          - ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf
-          - ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf
+          - ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
           - ./certs/:/certs
         . . .
     ```
-5. The `mail_crypt` plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both `lmtp` and `imap`. You'll want to edit three different files:
-    - `./config/dovecot/20-lmtp.conf`
-      ```
-      protocol lmtp {
-        mail_plugins = $mail_plugins sieve mail_crypt
-        plugin {
-          mail_crypt_global_private_key = </certs/ecprivkey.pem
-          mail_crypt_global_public_key = </certs/ecpubkey.pem
-          mail_crypt_save_version = 2
-        }
-      }
-      ```
-    - `./config/dovecot/20-imap.conf`
-      ```
-      protocol imap {
-        mail_plugins = $mail_plugins imap_quota mail_crypt
-        plugin {
-          mail_crypt_global_private_key = </certs/ecprivkey.pem
-          mail_crypt_global_public_key = </certs/ecpubkey.pem
-          mail_crypt_save_version = 2
-        }
-      }
-      ```
-    - If you use pop3, make the same changes in `20-pop3.conf`
-6. Start the container and monitor the logs for any errors
 
-This should be the minimum required for encryption of the mail while in storage.
\ No newline at end of file
+6. Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
+    ```
+    [root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v�z�@�� m}��,��9����B*�247.us-west-2.compute.inE��\Ck*�@7795,W=7947:2,
+    T�9�8t�6�� t���e�W��S   `�H��C�ڤ �yeY��XZ��^�d�/��+�A
+    ```
+
+This should be the minimum required for encryption of the mail while in storage.