-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 28.10.2013 17:02, schrieb Douglas Mortensen:
Hi,
We have clients with various security & compliance requirements. Although not required, it would be ideal to have messages encrypted at rest. We already use SSL/TLS to secure the transmission of most email. However, it would be nice to have them encrypted sitting on our server. Is anyone doing this? I think that ideally, rather than full-disk encryption, we should use an encryption that encrypts the actual email messages as they sit on our file system. This way even if we ever had our server breached by an attacker, they wouldn't be able to do anything with the messages. However, this would also mean that if the attacker can't decrypt the files, than dovecot and postfix still would need to. This means that the encryption key would need to be available to the dovecot deamon. We'd either need to have it in a file that is restricted to access only by dovecot (less secure), or use an encryption passphrase for the certificate which would have to be typed in manually each time that dovecot starts or restarts (more secure, but also more work and possibility of disruption because the server can't restart gracefully without a human being having to be present [although I don't think we have issues with unexpected restarts anyway]).
Is anyone doing anything like this with dovecot?
perhaps look at
https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve
Thanks!! - Doug Mortensen Network Consultant Impala Networks Inc CCNA, MCSA, Security+, A+ Linux+, Network+, Server+ A.A.S. Information Technology . www.impalanetworks.com P: (505) 327-7300 F: (505) 327-7545
Best Regards MfG Robert Schetterer
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSbpyxAAoJEP8jBObu0LlEFmUH/0i8vKvqvIC9d3AX/QHpd7G6 +ybdiRsndYnyrOMVoRf/P0L9S2QL/FY/stQ3s4xmIZbZAlh2qQI6PhcZRPDJD1pA 59bJppKwZmm37+uj+gEYgNWdG08Adtr9xsreKvYr97Un/9W/psXYxstswITLXC9Q 8/7n4S/GBUkG36924EvtSr+nrl5HrMKgY9H5XBVz/KAauK6NYy9A3UyiaNaGVgnJ Sd58ZgMKuk84pkSFov+uj5VNz84btyfH3JQowZwN3tN8hxrmqDdkEpO38LB87PMX /sJprTisgS5WetB9GOXcSY2rbpE7I5uL3VycA/46nB1PQHe2zRY9ZQEdTNHOiTQ= =NEp8 -----END PGP SIGNATURE-----