docker-mailserver/docs/content/config/security/mail_crypt.md

---
title: 'Security | mail_crypt (email/storage encryption)'
---

!!! info
 
    The Mail crypt plugin is used to secure email messages stored in a Dovecot system. Messages are encrypted before written to storage and decrypted after reading. Both operations are transparent to the user.

    In case of unauthorized access to the storage backend, the messages will, without access to the decryption keys, be unreadable to the offending party.

    There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.


Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/

---

## Single Encryption Key / Global Method

1. Create `10-custom.conf` and populate it with the following:

    ```
    # Enables mail_crypt for all services (imap, pop3, etc)
    mail_plugins = $mail_plugins mail_crypt
    plugin {
      mail_crypt_global_private_key = </certs/ecprivkey.pem
      mail_crypt_global_public_key = </certs/ecpubkey.pem
      mail_crypt_save_version = 2
    }
    ```

2. Shutdown your mailserver (`docker-compose down`)

3. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.

4. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
    ```yaml
    services:
      mailserver:
        image: docker.io/mailserver/docker-mailserver:latest
        volumes:
        . . .
          - ./certs/:/certs
        . . .
    ```

5. While you're editing the `docker-compose.yml`, add the configuration file:
    ```yaml
    services:
      mailserver:
        image: docker.io/mailserver/docker-mailserver:latest
        volumes:
        . . .
          - ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
          - ./certs/:/certs
        . . .
    ```

6. Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
    ```
    [root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
    T<>9<EFBFBD>8t<38>6<EFBFBD><36> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S   `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
    ```

This should be the minimum required for encryption of the mail while in storage.
-												docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
											
										
										
											2021-04-18 00:31:09 +02:00
+								---
 								title: 'Security | mail_crypt (email/storage encryption)'
 								---
 								!!! info
 								    The Mail crypt plugin is used to secure email messages stored in a Dovecot system. Messages are encrypted before written to storage and decrypted after reading. Both operations are transparent to the user.
 								    In case of unauthorized access to the storage backend, the messages will, without access to the decryption keys, be unreadable to the offending party.
 								    There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
-												reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
											
										
										
											2021-06-19 12:33:30 +02:00
-												docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
											
										
										
											2021-04-18 00:31:09 +02:00
+								Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
 								---
-												reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
											
										
										
											2021-06-19 12:33:30 +02:00
+								## Single Encryption Key / Global Method
 . Create `10-custom.conf` and populate it with the following:
-												docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
											
										
										
											2021-04-18 00:31:09 +02:00
 								    ```
-												reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
											
										
										
											2021-06-19 12:33:30 +02:00
+								    # Enables mail_crypt for all services (imap, pop3, etc)
 								    mail_plugins = $mail_plugins mail_crypt
 								    plugin {
 								      mail_crypt_global_private_key = </certs/ecprivkey.pem
 								      mail_crypt_global_public_key = </certs/ecpubkey.pem
 								      mail_crypt_save_version = 2
 								    }
 								    ```
 . Shutdown your mailserver (`docker-compose down`)
 . You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key). We named them `/certs/ecprivkey.pem` and `/certs/ecpubkey.pem` in step #1.
 . The EC key needs to be available in the container. I prefer to mount a /certs directory into the container:
-												docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
											
										
										
											2021-04-18 00:31:09 +02:00
+								    ```yaml
 								    services:
 								      mailserver:
 								        image: docker.io/mailserver/docker-mailserver:latest
 								        volumes:
 								        . . .
 								          - ./certs/:/certs
 								        . . .
 								    ```
-												reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
											
										
										
											2021-06-19 12:33:30 +02:00
 . While you're editing the `docker-compose.yml`, add the configuration file:
-												docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
											
										
										
											2021-04-18 00:31:09 +02:00
+								    ```yaml
 								    services:
 								      mailserver:
 								        image: docker.io/mailserver/docker-mailserver:latest
 								        volumes:
 								        . . .
-												reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
											
										
										
											2021-06-19 12:33:30 +02:00
+								          - ./config/dovecot/10-custom.conf:/etc/dovecot/conf.d/10-custom.conf
-												docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc

* quick change for <your-container-name> to use mailserver

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
											
										
										
											2021-04-18 00:31:09 +02:00
+								          - ./certs/:/certs
 								        . . .
 								    ```
-												reworked mail_crypt guide to make things way more simple and prepare … (#2043)

* reworked mail_crypt guide to make things way more simple and prepare for user folder encryption

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

* Update docs/content/config/security/mail_crypt.md

Co-authored-by: Casper <casperklein@users.noreply.github.com>

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Co-authored-by: Casper <casperklein@users.noreply.github.com>
											
										
										
											2021-06-19 12:33:30 +02:00
 . Start the container, monitor the logs for any errors, send yourself a message, and then confirm the file on disk is encrypted:
 								    ```
 								    [root@ip-XXXXXXXXXX ~]# cat -A /mnt/efs-us-west-2/maildata/awesomesite.com/me/cur/1623989305.M6v<36>z<EFBFBD>@<40><> m}<7D><>,<2C><>9<EFBFBD><39><EFBFBD><EFBFBD>B*<2A>247.us-west-2.compute.inE<6E><45>\Ck*<2A>@7795,W=7947:2,
 								    T<>9<EFBFBD>8t<38>6<EFBFBD><36> t<><74><EFBFBD>e<EFBFBD>W<EFBFBD><57>S   `<60>H<EFBFBD><48>C<EFBFBD>ڤ <20>yeY<65><59>XZ<58><5A>^<5E>d<EFBFBD>/<2F><>+<2B>A
 								    ```
 								This should be the minimum required for encryption of the mail while in storage.