reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> * Update docs/content/config/security/mail_crypt.md Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Co-authored-by: Casper <casperklein@users.noreply.github.com>
2024-01-19 02:48:50 +00:00 · 2021-06-19 06:33:30 -04:00 · 2021-06-19 06:33:30 -04:00 · 9c5d6ad25c
parent 80a0425ade
commit 9c5d6ad25c
1 changed files with 29 additions and 40 deletions
--- a/docs/content/config/security/mail_crypt.md
+++ b/docs/content/config/security/mail_crypt.md
@ -10,22 +10,31 @@ title: 'Security | mail_crypt (email/storage encryption)'

    There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.

+
+
 Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/

 ---

-## Basic Setup
+## Single Encryption Key / Global Method
+
+1. Create `10-custom.conf` and populate it with the following:

-1. Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
-    ```bash
-    mkdir -p config/dovecot
-    docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
-    docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
-    docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
-    docker-compose down
    ```
-2. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key).
-3. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
+    # Enables mail_crypt for all services (imap, pop3, etc)
+    mail_plugins = $mail_plugins mail_crypt
+    plugin {
+      mail_crypt_global_private_key = </certs/ecprivkey.pem
+      mail_crypt_global_public_key = </certs/ecpubkey.pem
+      mail_crypt_save_version = 2
+    }
+    ```
+
+2. Shutdown your mailserver (`docker-compose down`)
+
+3. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.
+
+4. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
    ```yaml
    services:
      mailserver:
@ -35,43 +44,23 @@ Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mai
          - ./certs/:/certs
        . . .
    ```
-4. While you're editing the docker-compose.yml, add the configuration files you copied out:
+
+5. While you're editing the `docker-compose.yml`, add the configuration file:
    ```yaml
    services:
      mailserver:
        image: docker.io/mailserver/docker-mailserver:latest
        volumes:
        . . .
-          - ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf
-          - ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf
-          - ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf
+          - ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
          - ./certs/:/certs
        . . .
    ```
-5. The `mail_crypt` plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both `lmtp` and `imap`. You'll want to edit three different files:
-    - `./config/dovecot/20-lmtp.conf`
-      ```
-      protocol lmtp {
-        mail_plugins = $mail_plugins sieve mail_crypt
-        plugin {
-          mail_crypt_global_private_key = </certs/ecprivkey.pem
-          mail_crypt_global_public_key = </certs/ecpubkey.pem
-          mail_crypt_save_version = 2
-        }
-      }
-      ```
-    - `./config/dovecot/20-imap.conf`
-      ```
-      protocol imap {
-        mail_plugins = $mail_plugins imap_quota mail_crypt
-        plugin {
-          mail_crypt_global_private_key = </certs/ecprivkey.pem
-          mail_crypt_global_public_key = </certs/ecpubkey.pem
-          mail_crypt_save_version = 2
-        }
-      }
-      ```
-    - If you use pop3, make the same changes in `20-pop3.conf`
-6. Start the container and monitor the logs for any errors
+
+6. Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
+    ```
+    [root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
+    T<>9<EFBFBD>8t<38>6<EFBFBD><36> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S   `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
+    ```

 This should be the minimum required for encryption of the mail while in storage.