speedtech-website/content/en/blogspot/encrypt-compress-mailserver.md
2024-10-04 11:58:15 +02:00

3.4 KiB

+++ images = ['images/blog/encrypt-compress-emails-on-server.jpg'] tagsspot = ['Security','Server','Privacy', 'Dovecot'] categoriesspot= ['Solutions'] date = '2022-07-08' lastmod = '2022-07-08' title = 'Encrypt and compress emails server side' slug = 'encrypt-compress-email-server' +++

To improve the security and privacy of users and save disk space, the mail server Dovecot allows encrypting the files containing the e-mail messages.

Compression is done through the zlib plugin while encryption is done through the mail_crypt plugin.

mail_plugins = $mail_plugins zlib mail_crypt

The plugins can be configured with several options

plugin {
  mail_crypt_global_private_key = </etc/dovecot/crypt/master.key
  mail_crypt_global_public_key = </etc/dovecot/crypt/master.pub
  mail_crypt_curve = prime256v1
  mail_crypt_save_version = 2
  zlib_save_level = 6
  zlib_save = lz4
}

To encrypt is necessary to create the key pair: private (master.key) to encrypt and public (master.pub) to decrypt.

In this way, in case of a server breach, and the e-mail files are stolen, they would be unreadable without the private key necessary to decrypt them.

From the moment the encryption and compression are active, all the new messages will be automatically encrypted and compressed in a transparent way for the final user.

To encrypt and compress pre-existing e-mails, simply move messages from one folder to another using an IMAP client. Alternatively, the following bash script can be used to initiate encryption of all mail files in the example directory /var/vmail/domain/user/Maildir (compression is not possible AFAIK).

find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
echo $file
doveadm fs put crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
  "$file" "$file"
  chmod 600 "$file"
  chown vmail:vmail "$file"
fi
done

In case, on the other hand, it is necessary to access one or more unencrypted email files, the following scripts can be used :

To decrypt only (in case the files have not been compressed)

find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
  echo $file
  doveadm fs get crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
  "$file" > "/tmp/$(basename "$file")"
  if [[ -s "/tmp/$(basename "$file")" ]]; then
    chmod 600 "/tmp/$(basename "$file")"
    chown vmail:vmail "/tmp/$(basename "$file")"
    mv "/tmp/$(basename "$file")" "$file"
  else
    rm "/tmp/$(basename "$file")"
  fi
fi
done

To decrypt and decompress :

find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
  echo $file
  doveadm fs get compress lz4:0:crypt:private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
  "$file" > "/tmp/$(basename "$file")"
  if [[ -s "/tmp/$(basename "$file")" ]]; then
    chmod 600 "/tmp/$(basename "$file")"
    chown vmail:vmail "/tmp/$(basename "$file")"
    mv "/tmp/$(basename "$file")" "$file"
  else
    rm "/tmp/$(basename "$file")"
  fi
fi
done