93 lines
3.4 KiB
Markdown
93 lines
3.4 KiB
Markdown
+++
|
|
images = ['images/blog/encrypt-compress-emails-on-server.jpg']
|
|
tagsspot = ['Security','Server','Privacy', 'Dovecot']
|
|
categoriesspot= ['Solutions']
|
|
date = '2022-07-08'
|
|
lastmod = '2022-07-08'
|
|
title = 'Encrypt and compress emails server side'
|
|
slug = 'encrypt-compress-email-server'
|
|
+++
|
|
|
|
To improve the security and privacy of users and save disk space, the mail server
|
|
[Dovecot](https://www.dovecot.org/) allows encrypting the files containing the e-mail messages.
|
|
|
|
<!--more-->
|
|
Compression is done through the ```zlib``` plugin while encryption is done through the ```mail_crypt``` plugin.
|
|
|
|
```bash
|
|
mail_plugins = $mail_plugins zlib mail_crypt
|
|
```
|
|
|
|
The plugins can be configured with several options
|
|
|
|
```bash
|
|
plugin {
|
|
mail_crypt_global_private_key = </etc/dovecot/crypt/master.key
|
|
mail_crypt_global_public_key = </etc/dovecot/crypt/master.pub
|
|
mail_crypt_curve = prime256v1
|
|
mail_crypt_save_version = 2
|
|
zlib_save_level = 6
|
|
zlib_save = lz4
|
|
}
|
|
```
|
|
|
|
To encrypt is necessary to create the key pair: private (```master.key```) to encrypt and public (```master.pub```) to decrypt.
|
|
|
|
In this way, in case of a server breach, and the e-mail files are stolen, they would be unreadable without the private key necessary to decrypt them.
|
|
|
|
From the moment the encryption and compression are active, all the new messages will be automatically encrypted and compressed in a transparent way for the final user.
|
|
|
|
To encrypt and compress pre-existing e-mails, simply move messages from one folder to another using an IMAP client.
|
|
Alternatively, the following bash script can be used to initiate encryption of all mail files in the example directory ```/var/vmail/domain/user/Maildir``` (compression is not possible AFAIK).
|
|
|
|
```bash
|
|
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
|
|
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
|
|
echo $file
|
|
doveadm fs put crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
|
|
"$file" "$file"
|
|
chmod 600 "$file"
|
|
chown vmail:vmail "$file"
|
|
fi
|
|
done
|
|
```
|
|
|
|
In case, on the other hand, it is necessary to access one or more unencrypted email files, the following scripts can be used :
|
|
|
|
To decrypt only (in case the files have not been compressed)
|
|
|
|
```bash
|
|
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
|
|
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
|
|
echo $file
|
|
doveadm fs get crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
|
|
"$file" > "/tmp/$(basename "$file")"
|
|
if [[ -s "/tmp/$(basename "$file")" ]]; then
|
|
chmod 600 "/tmp/$(basename "$file")"
|
|
chown vmail:vmail "/tmp/$(basename "$file")"
|
|
mv "/tmp/$(basename "$file")" "$file"
|
|
else
|
|
rm "/tmp/$(basename "$file")"
|
|
fi
|
|
fi
|
|
done
|
|
```
|
|
To decrypt and decompress :
|
|
|
|
```bash
|
|
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
|
|
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
|
|
echo $file
|
|
doveadm fs get compress lz4:0:crypt:private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
|
|
"$file" > "/tmp/$(basename "$file")"
|
|
if [[ -s "/tmp/$(basename "$file")" ]]; then
|
|
chmod 600 "/tmp/$(basename "$file")"
|
|
chown vmail:vmail "/tmp/$(basename "$file")"
|
|
mv "/tmp/$(basename "$file")" "$file"
|
|
else
|
|
rm "/tmp/$(basename "$file")"
|
|
fi
|
|
fi
|
|
done
|
|
```
|