mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
c461dabe9e
* rename: `docker-compose.yml` => `compose.yaml` * rename: `docker-compose` => `docker compose`
67 lines
2.5 KiB
Markdown
67 lines
2.5 KiB
Markdown
---
|
||
title: 'Security | mail_crypt (email/storage encryption)'
|
||
---
|
||
|
||
!!! info
|
||
|
||
The Mail crypt plugin is used to secure email messages stored in a Dovecot system. Messages are encrypted before written to storage and decrypted after reading. Both operations are transparent to the user.
|
||
|
||
In case of unauthorized access to the storage backend, the messages will, without access to the decryption keys, be unreadable to the offending party.
|
||
|
||
There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
|
||
|
||
|
||
|
||
Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
|
||
|
||
---
|
||
|
||
## Single Encryption Key / Global Method
|
||
|
||
1. Create `10-custom.conf` and populate it with the following:
|
||
|
||
```
|
||
# Enables mail_crypt for all services (imap, pop3, etc)
|
||
mail_plugins = $mail_plugins mail_crypt
|
||
plugin {
|
||
mail_crypt_global_private_key = </certs/ecprivkey.pem
|
||
mail_crypt_global_public_key = </certs/ecpubkey.pem
|
||
mail_crypt_save_version = 2
|
||
}
|
||
```
|
||
|
||
2. Shutdown your mailserver (`docker compose down`)
|
||
|
||
3. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.
|
||
|
||
4. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
|
||
```yaml
|
||
services:
|
||
mailserver:
|
||
image: ghcr.io/docker-mailserver/docker-mailserver:latest
|
||
volumes:
|
||
. . .
|
||
- ./certs/:/certs
|
||
. . .
|
||
```
|
||
|
||
5. While you're editing the `compose.yaml`, add the configuration file:
|
||
```yaml
|
||
services:
|
||
mailserver:
|
||
image: ghcr.io/docker-mailserver/docker-mailserver:latest
|
||
volumes:
|
||
. . .
|
||
- ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
|
||
- ./certs/:/certs
|
||
. . .
|
||
```
|
||
|
||
6. Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
|
||
```
|
||
[root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
|
||
T<>9<EFBFBD>8t<38>6<EFBFBD><36> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
|
||
```
|
||
|
||
This should be the minimum required for encryption of the mail while in storage.
|