Hi,

I am just finishing my first personal email server build so I would really appreciate it if the response to my question can be spelled out in enough detail since I am struggling to fill in the gaps to get this working. I have scoured Google and the archives but I am not fully understanding the implementation for my setup.

I am looking for a solution to encrypt email using a mechanism that increases the difficulty of decrypting my email. For example, having a plain-text decryption key on disk would not be suitable.  From what I understand mail-crypt supports using the user password supplied via IMAP to decrypt email.  Can someone explain how this technically works? i.e. is the private key encrypted in disk and then unlocked using the supplied password?

Can someone also please step me through
1. how I would ammen the configuration below in order to set this up.
2. the command required to generate keys
3. Any help in understanding the limitations such as password changes or caveats around generating keys securely

I am happy to take my notes and update the wiki to help others.

Thanks, Adam

# 2.3.8 (9df20d2db): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.8 (b7b03ba2)
# OS: Linux 4.18.0-240.1.1.el8_3.x86_64 x86_64 Red Hat Enterprise Linux release 8.3 (Ootpa)
# Hostname: mailserver.example.com
debug_log_path = /var/log/dovecot-debug.log
info_log_path = /var/log/dovecot-info.log
lda_mailbox_autocreate = yes
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_home = /var/mail/%d/%n/
mail_location = maildir:~/mail/
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
    auto = create
    special_use = \Archive
  }
  mailbox Drafts {
    auto = create
    special_use = \Drafts
  }
  mailbox Junk {
    auto = create
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    auto = create
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = scheme=CRYPT username_format=%n@%d /etc/dovecot/passdb
  driver = passwd-file
}
plugin {
  recipient_delimiter = -
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /etc/sieve/global/
}
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    address = *
    port = 143
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH: !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
userdb {
  args = uid=vmail gid=vmail home=/var/mail/%d/%n
  driver = static
}
protocol lmtp {
  mail_fsync = optimized
  mail_plugins = " sieve"
  recipient_delimiter = -
}