SPOT Blog

Projects Solutions Technology

Encrypt and compress emails server side

To improve the security and privacy of users and save disk space, the mail server Dovecot allows encrypting the files containing the e-mail messages.

Compression is done through the zlib plugin while encryption is done through the mail_crypt plugin.

mail_plugins = $mail_plugins zlib mail_crypt

The plugins can be configured with several options

plugin {
  mail_crypt_global_private_key = </etc/dovecot/crypt/master.key
  mail_crypt_global_public_key = </etc/dovecot/crypt/master.pub
  mail_crypt_curve = prime256v1
  mail_crypt_save_version = 2
  zlib_save_level = 6
  zlib_save = lz4
}

To encrypt is necessary to create the key pair: private (master.key) to encrypt and public (master.pub) to decrypt.

In this way, in case of a server breach, and the e-mail files are stolen, they would be unreadable without the private key necessary to decrypt them.

From the moment the encryption and compression are active, all the new messages will be automatically encrypted and compressed in a transparent way for the final user.

To encrypt and compress pre-existing e-mails, simply move messages from one folder to another using an IMAP client. Alternatively, the following bash script can be used to initiate encryption of all mail files in the example directory /var/vmail/domain/user/Maildir (compression is not possible AFAIK).

find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") != "CRYPTED" ]]; then
echo $file
doveadm fs put crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
  "$file" "$file"
  chmod 600 "$file"
  chown vmail:vmail "$file"
fi
done

In case, on the other hand, it is necessary to access one or more unencrypted email files, the following scripts can be used :

To decrypt only (in case the files have not been compressed)

find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
  echo $file
  doveadm fs get crypt private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
  "$file" > "/tmp/$(basename "$file")"
  if [[ -s "/tmp/$(basename "$file")" ]]; then
    chmod 600 "/tmp/$(basename "$file")"
    chown vmail:vmail "/tmp/$(basename "$file")"
    mv "/tmp/$(basename "$file")" "$file"
  else
    rm "/tmp/$(basename "$file")"
  fi
fi
done

To decrypt and decompress :

find /var/vmail/domain/user/Maildir -type f -regextype egrep -regex '.*S=.*W=.*' | while read -r file; do
if [[ $(head -c7 "$file") == "CRYPTED" ]]; then
  echo $file
  doveadm fs get compress lz4:0:crypt:private_key_path=/etc/dovecot/crypt/master.key:public_key_path=/etc/dovecot/crypt/master.pub:posix:prefix=/ \
  "$file" > "/tmp/$(basename "$file")"
  if [[ -s "/tmp/$(basename "$file")" ]]; then
    chmod 600 "/tmp/$(basename "$file")"
    chown vmail:vmail "/tmp/$(basename "$file")"
    mv "/tmp/$(basename "$file")" "$file"
  else
    rm "/tmp/$(basename "$file")"
  fi
fi
done
Publish date : 2022-07-08 | Last change : 2022-07-08

Categories : Solutions
Tags : Security | Server | Privacy | Dovecot

Tags

Custom CMS Database Desktop application Dovecot E-commerce File server Firewall Home Assistant Home automation Linux MariaDB NAS Networking Office server OpenSSL OpnSense Oracle Database Pascal PostgreSQL Privacy Router Security Server Software development System Administration UFW VPN Web application

Latest articles

Home automation with Home Assistant
Home automation with Home Assistant
Web spreadsheet application with sync capabilities
Web spreadsheet application with sync capabilities
Database link with PostgreSQL
Database link with PostgreSQL
Data synchronization procedures
Data synchronization procedures