On December 15, 2017 at 2:29 AM Joseph Tam jtam.home@gmail.com wrote:
Aki Tuomi writes:
Dovecot does support making it difficult to prevent access to the stored mail.
Those who have had problems understanding the documentation might find this unintended double-negative ironically funny.
Indeed. Although we are open to improvements for the documentation, or even pointing out where it's wrong.
You can, with suitable workflows, ensure that the user's emails are not readable by anyone but the user. Of course the only way to be fully sure is to use end-to-end encryption, ...
"Ensure" (or OP: "impossible") are very high standards of privacy. If the OP really means it, then since a third party has control over the (virtual or real) hardware, the server should never have access to private keys or decrypted data. (We're in agreement I think.)
You are quite right. The mail-crypt plugin cannot provide absolute guarantees that the data won't be accessible by sufficiently determined adversary, due to the fact that the keys are indeed on the server, or accessible by the server.
If the OP lowers their standards to "inconvenient" to gain access, then the plugin is enough. It will keep the honest admin honest.
... like PGP or S/MIME, but this does go a long way to prevent admin access to user's email.
Don't ignore metadata; who/when/where (and headers?) could reveal much information.
Joseph Tam jtam.home@gmail.com
It's always all about who you are guarding against. I'd say that against your hosting provide, mail crypt can provide reasonable safeguards, especially if the storage is not on the same device.
The weak point is, as you point out, key management and handling, and special attention should be paid to this and I suggest clearly outlining the threats you are planning on mitigating and how the solution(s) you use achieve this.
Aki