reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
This commit is contained in:
Nathan Pierce 2021-06-19 06:33:30 -04:00 committed by GitHub
parent 80a0425ade
commit 9c5d6ad25c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -10,22 +10,31 @@ title: 'Security | mail_crypt (email/storage encryption)'
There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
---
## Basic Setup
## Single Encryption Key / Global Method
1. Create `10-custom.conf` and populate it with the following:
1. Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
```bash
mkdir -p config/dovecot
docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
docker-compose down
```
2. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key).
3. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
# Enables mail_crypt for all services (imap, pop3, etc)
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_global_private_key = </certs/ecprivkey.pem
mail_crypt_global_public_key = </certs/ecpubkey.pem
mail_crypt_save_version = 2
}
```
2. Shutdown your mailserver (`docker-compose down`)
3. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.
4. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
```yaml
services:
mailserver:
@ -35,43 +44,23 @@ Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mai
- ./certs/:/certs
. . .
```
4. While you're editing the docker-compose.yml, add the configuration files you copied out:
5. While you're editing the `docker-compose.yml`, add the configuration file:
```yaml
services:
mailserver:
image: docker.io/mailserver/docker-mailserver:latest
volumes:
. . .
- ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf
- ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf
- ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf
- ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
- ./certs/:/certs
. . .
```
5. The `mail_crypt` plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both `lmtp` and `imap`. You'll want to edit three different files:
- `./config/dovecot/20-lmtp.conf`
```
protocol lmtp {
mail_plugins = $mail_plugins sieve mail_crypt
plugin {
mail_crypt_global_private_key = </certs/ecprivkey.pem
mail_crypt_global_public_key = </certs/ecpubkey.pem
mail_crypt_save_version = 2
}
}
```
- `./config/dovecot/20-imap.conf`
```
protocol imap {
mail_plugins = $mail_plugins imap_quota mail_crypt
plugin {
mail_crypt_global_private_key = </certs/ecprivkey.pem
mail_crypt_global_public_key = </certs/ecpubkey.pem
mail_crypt_save_version = 2
}
}
```
- If you use pop3, make the same changes in `20-pop3.conf`
6. Start the container and monitor the logs for any errors
This should be the minimum required for encryption of the mail while in storage.
6. Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
```
[root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
T<>9<EFBFBD>8t<38>6<EFBFBD><36> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
```
This should be the minimum required for encryption of the mail while in storage.