On 2013-10-30 16:03, Miquel van Smoorenburg wrote:
On 28/10/13 23:22, Frerich Raabe wrote:
You could imagine a system which requires users to generate a key pair and then submit their public key. The mail system will encrypt all mail received for a user with that users public key. When accessing the mail, the user configures his user agent to use the private key to decrypt the mail.
[..]
Well you can generate the public and private key on the server, then set the users password as the keyphrase, and leave it stored on the server.
Incoming mail would be automatically encrypted with the public key, then stored.
When the user logs in to imap/pop the password is not only used for authentication, but also to unlock the private key. Dovecot can then decrypt the messages on the fly.
Basically this is how Lavamail worked. It is reasonably secure, but doesn't help against a hostile root user on the server that hacks dovecot to just log the password when a user logs in. Or someone who has acquired your SSL keys and taps your internet connection.
The whole idea of using asymmetric encryption was that the server *does not* have the private key. It only has the public key, so it can store incoming mail encrypted using the users public key (which requires no password). Dovecot would then just serve the encrypted mail, all encryption would happen on the client side using the private key which only the client has.
In the case of Maildir, I suspect (but I don't know) that Dovecot doesn't treat the individual files as plain data: it does look into them when serving (not only when indexing) to parse some headers or so. So I guess you cannot just encrypt the raw file on disk but you rather have to "rewrite" the mail so that only the body is encrypted but the headers are left untouched. This means that a hostile root user could see the headers, but at least not the body of the message.
-- Frerich Raabe - raabe@froglogic.com www.froglogic.com - Multi-Platform GUI Testing