I would definitely get mail-crypt working on your system before worrying
about encrypting existing emails. Iirc dovecot should support both types
of files (encrypted, and non-encrypted) concurrently. So BEFORE you try
anything, make sure via logs, etc that mail is being written to the fs
as an encrypted file and that dovecot is able to decrypt it (i.e. you
are able to view that particular mail file from your email client).
My specific use case way back was to encrypt a maildir system using this
plugin a year or so ago. I believe there are 2 ways to set mail-crypt
up. Using global keys or folder-specific keys. What you will learn going
through this process using folder-specific keys is that any time mail is
moved (from an IMAP directory to another) the mail becomes effectively
re-encrypted using the destination's folder keys. I imagine how this
works under global keys is that the mail is encrypted once when it is
moved, then never again unless keys change. So all you would need to do
to encrypt existing mail using either method would be to create a temp
imap folder, move mail from each IMAP folder one at a time into this
temp folder, then back to the original IMAP folder.
I had a few questions at the time in implementing this, so I've linked
here the dovecot mailing list thread so it might provide some context if
needed:
https://dovecot.org/pipermail/dovecot/2021-July/122469.html
On 2/21/23 16:29, Jeremy wrote:
On Tuesday, February 21st, 2023 at 09:54, Aki Tuomi
<aki.tu...@open-xchange.com> wrote:
On 16/02/2023 07:18 EET mailinglist-subscriptions
mailinglist-subscripti...@protonmail.com wrote:
Hi,
I am using dovecot 2.3.16, along with postfix and a PostgreSQL database for
managing virtual accounts.
I'd like to start using the mail-crypt plugin. However, I'm having a bit some
difficulty understanding the documentation at
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin
to reach my goal. I plan to ask questions about those issues by starting new
threads in this mailing list. But before I even come to that, I'd like to
investigate the following:
The above documentation only addresses a clean install and doesn't seem to
mention encrypting already existent unencrypted mails, like my server has. Is
it possible to encrypt those before I start using the mail-crypt plugin, such
that it will be able to decrypt those messages as well?
If it is, I am assuming that how I would go about achieving that will be very
dependent on the ultimate configuration I have in mind (pub/priv keys, etc.).
So I don't expect a full-fledged guide. However, if you could perhaps give a
general overview of what would be needed to achieve this, I would very much
appreciate that.
Thank you.
It will be easiest to do migration to new server, then the data will get
encrypted while migrating. It is possible to write a script to do this, but
will be much more hassle than migration.
You might even be able to do it for one user at a time, by doing migration from
maildir to maildir and then moving the new maildir over the old one.
Aki
Thanks for the suggestion. However, migrating sounds like quite the hassle as
well.
Now, I have next to no knowledge about the synchronization workings of IMAP, so
perhaps this is totally infeasible, but could the following work?
- Preface
I am the only user of the mail server, with one virtual catch-all account for
each domain I own. I access these accounts with Thunderbird.
- Solution
I make a backup of all mail in my Thunderbird accounts. Then I either delete
all mails from within Thunderbird, or on the server. Then I configure the
mail-crypt plugin. And then I import all backup mails and folders into my
Thunderbird accounts again?
Could that work? Or would that mess up the synchronization history (message IDs
and what not)? And most importantly, if it actually could work, would the
messages be properly encrypted then?
