On 28/10/2013 19:14, Douglas Mortensen wrote:
So.... given that type of scenario, if filesystem permissions weren't correct, or some new exploit surfaced that allowed someone bypass or elevate to root, then they could theoretically have access to the entire fileystem including where emails are stored.
...
However, it would be nice to know that even if we were breached, the emails on the server were encrypted and would be completely useless to an attacker.
This type of encryption is ideal and some regulations prefer (although don't require) it.
OK, but encryption will only help if the bad guy, who gets elevated to root, can not access the decryption keys. But you initially suggested Dovecot has to decrypt the mails, so I would think root access would be able to obtain keys and run (in some manner) suitable decryption, even if offline back in its lair.
And this brings me to something I wanted to ask from your first post - and please forgive a basic question. Why does Dovecot need to decrypt the messages? Why could not the messages be encrypted, and only the clients decrypt them - this way only the clients would have the decryption keys and the bad root-guy can't get the keys.
Is true that Dovecot needs access to mails in clear? If yes, what part of the mails does Dovecot need in clear - might clear 'headers' be sufficient for its purposes, so that message content remains encrypted?
Such a scenario might require all users (or, maybe, just those users that wanted this facility) to ensure they had suitable clients, maybe Thunderbird with a suitable plug-in, or maybe a special-purpose client. And whatever public email server you (or the customers) are running would have to encrypt public email on receipt, and decrypt on public transmission, but 'in-company' email within each customer could remain encrypted, anyway.
Such a scheme would depend, though, on the extent to which Dovecot does require access to mail 'content' (in addition to Dovecot housekeeping data such as time of receipt, read status, index value, etc).
Hence the question, does Dovecot need access to mail in clear?
regards, Ron