3.4 KiB
+++ images = ['images/blog/encrypt-compress-emails-on-server.jpg'] tagsspot = ['Security','Server','Privacy', 'Dovecot'] categoriesspot= ['Solutions'] date = '2022-07-08' lastmod = '2022-07-08' title = 'Encrypt and compress emails server side' slug = 'encrypt-compress-email-server' +++
To improve the security and privacy of users and save disk space, the mail server Dovecot allows encrypting the files containing the e-mail messages.
Compression is done through the zlib
plugin while encryption is done through the mail_crypt
plugin.
mail_plugins = $mail_plugins zlib mail_crypt
The plugins can be configured with several options
plugin {
mail_crypt_global_private_key = </etc/dovecot/crypt/master.key
mail_crypt_global_public_key = </etc/dovecot/crypt/master.pub
mail_crypt_curve = prime256v1
mail_crypt_save_version = 2
zlib_save_level = 6
zlib_save = lz4
}
To encrypt is necessary to create the key pair: private (master.key
) to encrypt and public (master.pub
) to decrypt.
In this way, in case of a server breach, and the e-mail files are stolen, they would be unreadable without the private key necessary to decrypt them.
From the moment the encryption and compression are active, all the new messages will be automatically encrypted and compressed in a transparent way for the final user.
To encrypt and compress pre-existing e-mails, simply move messages from one folder to another using an IMAP client.
Alternatively, the following bash script can be used to initiate encryption of all mail files in the example directory /var/vmail/domain/user/Maildir
(compression is not possible AFAIK).
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
echo $file
doveadm fs put crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
"$file" "$file"
chmod 600 "$file"
chown vmail:vmail "$file"
fi
done
In case, on the other hand, it is necessary to access one or more unencrypted email files, the following scripts can be used :
To decrypt only (in case the files have not been compressed)
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
echo $file
doveadm fs get crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
"$file" > "/tmp/$(basename "$file")"
if [[ -s "/tmp/$(basename "$file")" ]]; then
chmod 600 "/tmp/$(basename "$file")"
chown vmail:vmail "/tmp/$(basename "$file")"
mv "/tmp/$(basename "$file")" "$file"
else
rm "/tmp/$(basename "$file")"
fi
fi
done
To decrypt and decompress :
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
echo $file
doveadm fs get compress lz4:0:crypt:private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
"$file" > "/tmp/$(basename "$file")"
if [[ -s "/tmp/$(basename "$file")" ]]; then
chmod 600 "/tmp/$(basename "$file")"
chown vmail:vmail "/tmp/$(basename "$file")"
mv "/tmp/$(basename "$file")" "$file"
else
rm "/tmp/$(basename "$file")"
fi
fi
done