mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
reworked mail_crypt guide to make things way more simple and prepare … (#2043)
* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Co-authored-by: Casper <casperklein@users.noreply.github.com>
This commit is contained in:
parent
80a0425ade
commit
9c5d6ad25c
|
@ -10,22 +10,31 @@ title: 'Security | mail_crypt (email/storage encryption)'
|
||||||
|
|
||||||
There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
|
There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
|
Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Basic Setup
|
## Single Encryption Key / Global Method
|
||||||
|
|
||||||
|
1. Create `10-custom.conf` and populate it with the following:
|
||||||
|
|
||||||
1. Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
|
|
||||||
```bash
|
|
||||||
mkdir -p config/dovecot
|
|
||||||
docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
|
|
||||||
docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
|
|
||||||
docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
|
|
||||||
docker-compose down
|
|
||||||
```
|
```
|
||||||
2. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key).
|
# Enables mail_crypt for all services (imap, pop3, etc)
|
||||||
3. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
|
mail_plugins = $mail_plugins mail_crypt
|
||||||
|
plugin {
|
||||||
|
mail_crypt_global_private_key = </certs/ecprivkey.pem
|
||||||
|
mail_crypt_global_public_key = </certs/ecpubkey.pem
|
||||||
|
mail_crypt_save_version = 2
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Shutdown your mailserver (`docker-compose down`)
|
||||||
|
|
||||||
|
3. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.
|
||||||
|
|
||||||
|
4. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
|
||||||
```yaml
|
```yaml
|
||||||
services:
|
services:
|
||||||
mailserver:
|
mailserver:
|
||||||
|
@ -35,43 +44,23 @@ Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mai
|
||||||
- ./certs/:/certs
|
- ./certs/:/certs
|
||||||
. . .
|
. . .
|
||||||
```
|
```
|
||||||
4. While you're editing the docker-compose.yml, add the configuration files you copied out:
|
|
||||||
|
5. While you're editing the `docker-compose.yml`, add the configuration file:
|
||||||
```yaml
|
```yaml
|
||||||
services:
|
services:
|
||||||
mailserver:
|
mailserver:
|
||||||
image: docker.io/mailserver/docker-mailserver:latest
|
image: docker.io/mailserver/docker-mailserver:latest
|
||||||
volumes:
|
volumes:
|
||||||
. . .
|
. . .
|
||||||
- ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf
|
- ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
|
||||||
- ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf
|
|
||||||
- ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf
|
|
||||||
- ./certs/:/certs
|
- ./certs/:/certs
|
||||||
. . .
|
. . .
|
||||||
```
|
```
|
||||||
5. The `mail_crypt` plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both `lmtp` and `imap`. You'll want to edit three different files:
|
|
||||||
- `./config/dovecot/20-lmtp.conf`
|
6. Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
|
||||||
```
|
```
|
||||||
protocol lmtp {
|
[root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
|
||||||
mail_plugins = $mail_plugins sieve mail_crypt
|
T<>9<EFBFBD>8t<38>6<EFBFBD><36> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
|
||||||
plugin {
|
|
||||||
mail_crypt_global_private_key = </certs/ecprivkey.pem
|
|
||||||
mail_crypt_global_public_key = </certs/ecpubkey.pem
|
|
||||||
mail_crypt_save_version = 2
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
- `./config/dovecot/20-imap.conf`
|
|
||||||
```
|
|
||||||
protocol imap {
|
|
||||||
mail_plugins = $mail_plugins imap_quota mail_crypt
|
|
||||||
plugin {
|
|
||||||
mail_crypt_global_private_key = </certs/ecprivkey.pem
|
|
||||||
mail_crypt_global_public_key = </certs/ecpubkey.pem
|
|
||||||
mail_crypt_save_version = 2
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
- If you use pop3, make the same changes in `20-pop3.conf`
|
|
||||||
6. Start the container and monitor the logs for any errors
|
|
||||||
|
|
||||||
This should be the minimum required for encryption of the mail while in storage.
|
This should be the minimum required for encryption of the mail while in storage.
|
Loading…
Reference in a new issue