roberto/speedtech-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
speedtech-website/content/en/blog/encrypt-compress-mailserver.md
roberto 36034fc188 Removed double blog, modified home page
2025-09-15 08:46:36 +02:00

92 lines
3.4 KiB
Markdown
Raw Permalink Blame History

+++
images = ['images/blog/encrypt-compress-emails-on-server.jpg']
tags = ['Security','Server','Privacy', 'Dovecot']
categories= ['Solutions']
date = '2022-07-08'
lastmod = '2022-07-08'
title = 'Encrypt and compress emails server side'
slug = 'encrypt-compress-email-server'
+++
To improve the security and privacy of users and save disk space, the mail server
[Dovecot](https://www.dovecot.org/) allows encrypting the files containing the e-mail messages.
<!--more-->
Compression is done through the ```zlib``` plugin while encryption is done through the ```mail_crypt``` plugin.
```bash
mail_plugins = $mail_plugins zlib mail_crypt
```
The plugins can be configured with several options
```bash
plugin {
mail_crypt_global_private_key = </etc/dovecot/crypt/master.key
mail_crypt_global_public_key = </etc/dovecot/crypt/master.pub
mail_crypt_curve = prime256v1
mail_crypt_save_version = 2
zlib_save_level = 6
zlib_save = lz4
}
```
To encrypt is necessary to create the key pair: private (```master.key```) to encrypt and public (```master.pub```) to decrypt.
In this way, in case of a server breach, and the e-mail files are stolen, they would be unreadable without the private key necessary to decrypt them.
From the moment the encryption and compression are active, all the new messages will be automatically encrypted and compressed in a transparent way for the final user.
To encrypt and compress pre-existing e-mails, simply move messages from one folder to another using an IMAP client.
Alternatively, the following bash script can be used to initiate encryption of all mail files in the example directory ```/var/vmail/domain/user/Maildir``` (compression is not possible AFAIK).
```bash
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
echo $file
doveadm fs put crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
"$file" "$file"
chmod 600 "$file"
chown vmail:vmail "$file"
fi
done
```
In case, on the other hand, it is necessary to access one or more unencrypted email files, the following scripts can be used :
To decrypt only (in case the files have not been compressed)
```bash
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
echo $file
doveadm fs get crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
"$file" > "/tmp/$(basename "$file")"
if [[ -s "/tmp/$(basename "$file")" ]]; then
chmod 600 "/tmp/$(basename "$file")"
chown vmail:vmail "/tmp/$(basename "$file")"
mv "/tmp/$(basename "$file")" "$file"
else
rm "/tmp/$(basename "$file")"
fi
fi
done
```
To decrypt and decompress :
```bash
find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
echo $file
doveadm fs get compress lz4:0:crypt:private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
"$file" > "/tmp/$(basename "$file")"
if [[ -s "/tmp/$(basename "$file")" ]]; then
chmod 600 "/tmp/$(basename "$file")"
chown vmail:vmail "/tmp/$(basename "$file")"
mv "/tmp/$(basename "$file")" "$file"
else
rm "/tmp/$(basename "$file")"
fi
fi
done
```
Reference in a new issue View git blame Copy permalink