deploy: 9c5d6ad25c

2025-08-03 17:44:49 +02:00 · 2021-06-19 10:33:59 +00:00 · 2021-06-19 10:33:59 +00:00 · 036bcaef3f
commit 036bcaef3f
parent e58cba57cc
3 changed files with 88 additions and 96 deletions
--- a/edge/config/security/mail_crypt/index.html
+++ b/edge/config/security/mail_crypt/index.html
@ -73,7 +73,7 @@
    <div data-md-component="skip">
      
        
-        <a href="#basic-setup" class="md-skip">
+        <a href="#single-encryption-key-global-method" class="md-skip">
          Skip to content
        </a>
      
@ -648,8 +648,8 @@
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
-  <a href="#basic-setup" class="md-nav__link">
-    Basic Setup
+  <a href="#single-encryption-key-global-method" class="md-nav__link">
+    Single Encryption Key / Global Method
  </a>
  
 </li>
@ -1256,8 +1256,8 @@
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
-  <a href="#basic-setup" class="md-nav__link">
-    Basic Setup
+  <a href="#single-encryption-key-global-method" class="md-nav__link">
+    Single Encryption Key / Global Method
  </a>
  
 </li>
@ -1289,62 +1289,54 @@
 </div>
 <p>Official Dovecot documentation: <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a></p>
 <hr />
-<h2 id="basic-setup"><a class="toclink" href="#basic-setup">Basic Setup</a></h2>
+<h2 id="single-encryption-key-global-method"><a class="toclink" href="#single-encryption-key-global-method">Single Encryption Key / Global Method</a></h2>
 <ol>
-<li>Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
-    <div class="highlight"><pre><span></span><code>mkdir -p config/dovecot
-docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
-docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
-docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
-docker-compose down
-</code></pre></div></li>
-<li>You then need to <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key">generate your global EC key</a>.</li>
-<li>The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
-    <div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
-  <span class="nt">mailserver</span><span class="p">:</span>
-    <span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
-    <span class="nt">volumes</span><span class="p">:</span>
-    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
-      <span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
-    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
-</code></pre></div></li>
-<li>While you're editing the docker-compose.yml, add the configuration files you copied out:
-    <div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
-  <span class="nt">mailserver</span><span class="p">:</span>
-    <span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
-    <span class="nt">volumes</span><span class="p">:</span>
-    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
-      <span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf</span>
-      <span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf</span>
-      <span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf</span>
-      <span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
-    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
-</code></pre></div></li>
-<li>The <code>mail_crypt</code> plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both <code>lmtp</code> and <code>imap</code>. You'll want to edit three different files:<ul>
-<li><code>./config/dovecot/20-lmtp.conf</code>
-  <div class="highlight"><pre><span></span><code>protocol lmtp {
-  mail_plugins = $mail_plugins sieve mail_crypt
-  plugin {
-    mail_crypt_global_private_key = &lt;/certs/ecprivkey.pem
-    mail_crypt_global_public_key = &lt;/certs/ecpubkey.pem
-    mail_crypt_save_version = 2
-  }
+<li>
+<p>Create <code>10-custom.conf</code> and populate it with the following:</p>
+<div class="highlight"><pre><span></span><code># Enables mail_crypt for all services (imap, pop3, etc)
+mail_plugins = $mail_plugins mail_crypt
+plugin {
+  mail_crypt_global_private_key = &lt;/certs/ecprivkey.pem
+  mail_crypt_global_public_key = &lt;/certs/ecpubkey.pem
+  mail_crypt_save_version = 2
 }
-</code></pre></div></li>
-<li><code>./config/dovecot/20-imap.conf</code>
-  <div class="highlight"><pre><span></span><code>protocol imap {
-  mail_plugins = $mail_plugins imap_quota mail_crypt
-  plugin {
-    mail_crypt_global_private_key = &lt;/certs/ecprivkey.pem
-    mail_crypt_global_public_key = &lt;/certs/ecpubkey.pem
-    mail_crypt_save_version = 2
-  }
-}
-</code></pre></div></li>
-<li>If you use pop3, make the same changes in <code>20-pop3.conf</code></li>
-</ul>
+</code></pre></div>
+</li>
+<li>
+<p>Shutdown your mailserver (<code>docker-compose down</code>)</p>
+</li>
+<li>
+<p>You then need to <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key">generate your global EC key</a>. We named them <code>/certs/ecprivkey.pem</code> and <code>/certs/ecpubkey.pem</code> in step #1.</p>
+</li>
+<li>
+<p>The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
+    <div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
+  <span class="nt">mailserver</span><span class="p">:</span>
+    <span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
+    <span class="nt">volumes</span><span class="p">:</span>
+    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
+      <span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
+    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
+</code></pre></div></p>
+</li>
+<li>
+<p>While you're editing the <code>docker-compose.yml</code>, add the configuration file:
+    <div class="highlight"><pre><span></span><code><span class="nt">services</span><span class="p">:</span>
+  <span class="nt">mailserver</span><span class="p">:</span>
+    <span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">docker.io/mailserver/docker-mailserver:latest</span>
+    <span class="nt">volumes</span><span class="p">:</span>
+    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
+      <span class="l l-Scalar l-Scalar-Plain">- ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf</span>
+      <span class="l l-Scalar l-Scalar-Plain">- ./certs/:/certs</span>
+    <span class="l l-Scalar l-Scalar-Plain">. . .</span>
+</code></pre></div></p>
+</li>
+<li>
+<p>Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
+    <div class="highlight"><pre><span></span><code>[root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
+T<EFBFBD>9<EFBFBD>8t<EFBFBD>6<EFBFBD><EFBFBD> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S   `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
+</code></pre></div></p>
 </li>
-<li>Start the container and monitor the logs for any errors</li>
 </ol>
 <p>This should be the minimum required for encryption of the mail while in storage.</p>