-----Original Message----- From: Aki Tuomi [mailto:aki.tuomi@open-xchange.com] Sent: Thursday, June 15, 2023 10:02 AM To: rcooper@dwford.com; rcooper--- via dovecot Subject: Re: Cannot get mail-crypt plugin to work

======================================================================== This email came from an external source. Do NOT click ANY links or open ANY attachments unless you know for CERTAIN who the source is. Don't trust the name. (Bob Thomas Dealerships I.T. Department)

On 15/06/2023 15:32 EEST rcooper--- via dovecot dovecot@dovecot.org wrote:

dovecot 2.2.27 and then 2.2.36 (tried both) Trying to enable mail-crypt in global key mode. Nothing is ever encrypted, even when I move mail from folder to folder. I have tried everything available to find here, google, etc and I assume I am missing something fundamental. Debug log shows the plugin loading Jun 15 08:26:00 srv2 dovecot: POP3(rick): Debug: Loading modules from directory: /usr/lib/dovecot Jun 15 08:26:00 srv2 dovecot: POP3(rick): Debug: Module loaded: /usr/lib/dovecot/lib10_mail_crypt_plugin.so Jun 15 08:26:00 srv2 dovecot: POP3(rick): Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled (I assume because global not per user)

my 10-mailcrypt.conf in .conf.d mail_plugins = $mail_plugins mail_crypt

plugin { mail_crypt_global_private_key =

I have also tried base64 encoded .pem files inline. I have also added the mail_plugins line to my protocol definitions to no avail and when I do that dovecot -n shows the lines as mail_plugins = " mail_crypt mail_crypt" so I assume it's a mistake to add mail_plugins = $mail_plugins mail_crypt to the protocol sections. Some online tutorials say must do this and others do not mention it at all.

Just looking for some guidance as to where to go next.

Hi!

Mail crypt plugin does not encrypt anything for you, only new or migrated emails are encrypted. If you want to encrypt your mailbox, you need to use doveadm sync/backup to migrate your mailbox.

Aki

I understand that, however it does state new mail should be encrypted and if I send an email from another email account to the account that is on a testing server with the mail-crypt plug-in active that email is not encrypted. It was also my understanding that best practice is to get the plug-in functioning with new mail before running through the process of encrypting old mail. I would assume that, at a min, when dovecot moves an email from new to cur it would be encrypted or when I move an email from Inbox to a sub folder and back it would be encrypted. The need her is to have email encrypted at rest in compliance with FTC safeguard rules. So is am I reading incorrectly that dovecot encrypts new emails automatically?