On 15/06/2023 17:14 EEST Rick Cooper via dovecot dovecot@dovecot.org wrote:
-----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@open-xchange.com] Sent: Thursday, June 15, 2023 10:02 AM To: rcooper@dwford.com; rcooper--- via dovecot Subject: Re: Cannot get mail-crypt plugin to work
On 15/06/2023 15:32 EEST rcooper--- via dovecot dovecot@dovecot.org wrote:
dovecot 2.2.27 and then 2.2.36 (tried both) Trying to enable mail-crypt in global key mode. Nothing is ever encrypted, even when I move mail from folder to folder. I have tried everything available to find here, google, etc and I assume I am missing something fundamental. Debug log shows the plugin loading Jun 15 08:26:00 srv2 dovecot: POP3(rick): Debug: Loading modules from directory: /usr/lib/dovecot Jun 15 08:26:00 srv2 dovecot: POP3(rick): Debug: Module loaded: /usr/lib/dovecot/lib10_mail_crypt_plugin.so Jun 15 08:26:00 srv2 dovecot: POP3(rick): Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled (I assume because global not per user)
my 10-mailcrypt.conf in .conf.d mail_plugins = $mail_plugins mail_crypt
plugin { mail_crypt_global_private_key =
I have also tried base64 encoded .pem files inline. I have also added the mail_plugins line to my protocol definitions to no avail and when I do that dovecot -n shows the lines as mail_plugins = " mail_crypt mail_crypt" so I assume it's a mistake to add mail_plugins = $mail_plugins mail_crypt to the protocol sections. Some online tutorials say must do this and others do not mention it at all.
Just looking for some guidance as to where to go next.
Hi!
Mail crypt plugin does not encrypt anything for you, only new or migrated emails are encrypted. If you want to encrypt your mailbox, you need to use doveadm sync/backup to migrate your mailbox.
Aki
I understand that, however it does state new mail should be encrypted and if I send an email from another email account to the account that is on a testing server with the mail-crypt plug-in active that email is not encrypted. It was also my understanding that best practice is to get the plug-in functioning with new mail before running through the process of encrypting old mail. I would assume that, at a min, when dovecot moves an email from new to cur it would be encrypted or when I move an email from Inbox to a sub folder and back it would be encrypted. The need her is to have email encrypted at rest in compliance with FTC safeguard rules. So is am I reading incorrectly that dovecot encrypts new emails automatically?
Well, when you move mails from new to cur, they are actually hardlinked (like mv does), not copied. Also same tends to happen when you move mails between folders.
The best way to test it, is to deliver mail to dovecot. But this has to be happen using dovecot lmtp or dovecot-lda, if you deliver with postfix directly to maildir, dovecot has no way to encrypt your mail.
If you want to encrypt existing mail, I recommend you use doveadm sync/backup to do this.
Aki