mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
0fb5251c20
* mail_crypt plugin + quick improvement to dovecot override defaults doc * quick change for <your-container-name> to use mailserver Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
3.1 KiB
3.1 KiB
title |
---|
Security | mail_crypt (email/storage encryption) |
!!! info
The Mail crypt plugin is used to secure email messages stored in a Dovecot system. Messages are encrypted before written to storage and decrypted after reading. Both operations are transparent to the user.
In case of unauthorized access to the storage backend, the messages will, without access to the decryption keys, be unreadable to the offending party.
There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
Basic Setup
- Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
mkdir -p config/dovecot docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/ docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/ docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/ docker-compose down
- You then need to generate your global EC key.
- The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
services: mailserver: image: docker.io/mailserver/docker-mailserver:latest volumes: . . . - ./certs/:/certs . . .
- While you're editing the docker-compose.yml, add the configuration files you copied out:
services: mailserver: image: docker.io/mailserver/docker-mailserver:latest volumes: . . . - ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf - ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf - ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf - ./certs/:/certs . . .
- The
mail_crypt
plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on bothlmtp
andimap
. You'll want to edit three different files:./config/dovecot/20-lmtp.conf
protocol lmtp { mail_plugins = $mail_plugins sieve mail_crypt plugin { mail_crypt_global_private_key = </certs/ecprivkey.pem mail_crypt_global_public_key = </certs/ecpubkey.pem mail_crypt_save_version = 2 } }
./config/dovecot/20-imap.conf
protocol imap { mail_plugins = $mail_plugins imap_quota mail_crypt plugin { mail_crypt_global_private_key = </certs/ecprivkey.pem mail_crypt_global_public_key = </certs/ecpubkey.pem mail_crypt_save_version = 2 } }
- If you use pop3, make the same changes in
20-pop3.conf
- Start the container and monitor the logs for any errors
This should be the minimum required for encryption of the mail while in storage.