-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 28.10.2013 17:02, schrieb Douglas Mortensen: > Hi, > > We have clients with various security & compliance requirements. > Although not required, it would be ideal to have messages encrypted > at rest. We already use SSL/TLS to secure the transmission of most > email. However, it would be nice to have them encrypted sitting on > our server. Is anyone doing this? I think that ideally, rather than > full-disk encryption, we should use an encryption that encrypts the > actual email messages as they sit on our file system. This way even > if we ever had our server breached by an attacker, they wouldn't be > able to do anything with the messages. However, this would also > mean that if the attacker can't decrypt the files, than dovecot and > postfix still would need to. This means that the encryption key > would need to be available to the dovecot deamon. We'd either need > to have it in a file that is restricted to access only by dovecot > (less secure), or use an encryption passphrase for the certificate > which would have to be typed in manually each time that dovecot > starts or restarts (more secure, but also more work and possibility > of disruption because the server can't restart gracefully without a > human being having to be present [although I don't think we have > issues with unexpected restarts anyway]). > > Is anyone doing anything like this with dovecot? perhaps look at https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve > > Thanks!! - Doug Mortensen Network Consultant Impala Networks Inc > CCNA, MCSA, Security+, A+ Linux+, Network+, Server+ A.A.S. > Information Technology . www.impalanetworks.com P: (505) 327-7300 > F: (505) 327-7545 > Best Regards MfG Robert Schetterer - -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSbpyxAAoJEP8jBObu0LlEFmUH/0i8vKvqvIC9d3AX/QHpd7G6 +ybdiRsndYnyrOMVoRf/P0L9S2QL/FY/stQ3s4xmIZbZAlh2qQI6PhcZRPDJD1pA 59bJppKwZmm37+uj+gEYgNWdG08Adtr9xsreKvYr97Un/9W/psXYxstswITLXC9Q 8/7n4S/GBUkG36924EvtSr+nrl5HrMKgY9H5XBVz/KAauK6NYy9A3UyiaNaGVgnJ Sd58ZgMKuk84pkSFov+uj5VNz84btyfH3JQowZwN3tN8hxrmqDdkEpO38LB87PMX /sJprTisgS5WetB9GOXcSY2rbpE7I5uL3VycA/46nB1PQHe2zRY9ZQEdTNHOiTQ= =NEp8 -----END PGP SIGNATURE-----
