On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta@gmail.com> wrote:
Hi to all I was looking at protonmail.com Is possible to implement and end-to-end encryption with dovecot, where server-side there is no private key to decrypt messages?
You could probably automate this with sieve and e.g. GnuPG, which would mean that all your mails are encrypted without server having key to decrypt this.
If I understood properly, on protonmail the private key is encrypted with user's password, so that only an user is able to decrypt the mailbox.
Anything similiar ?
In this case, the server *does* have the private key, even if it's encrypted... =)
Dovecot's mail crypt plugin can achieve *similar* thing with
mail_crypt_private_password=%{password} (see https://wiki.dovecot.org/Plugins/MailCrypt)
But this requires quite good planning, esp. if you are hosting mails, since there is currently no DR feature in dovecot. If you decide to use mail crypt plugin, set it up with private key password, and lose the password, then the mails really are gone.
Also worth noting is that, currently, dovecot does not encrypt indexes, which can contain information about your mails.
Aki