docs: add mail_crypt plugin documentation (#1913)

* mail_crypt plugin + quick improvement to dovecot override defaults doc * quick change for <your-container-name> to use mailserver Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-04-17 18:31:09 -04:00 · 2021-04-17 18:31:09 -04:00 · 0fb5251c20
parent 271d94a37e
commit 0fb5251c20
2 changed files with 81 additions and 2 deletions
--- a/docs/content/config/advanced/override-defaults/dovecot.md
+++ b/docs/content/config/advanced/override-defaults/dovecot.md
@ -32,6 +32,8 @@ This limit is quickly reached if users connect to the mail server with multiple

 For major configuration changes it’s best to override the dovecot configuration files. For each configuration file you want to override, add a list entry under the `volumes` key.

+You will need to first obtain the configuration from the running container: `mkdir -p ./config/dovecot && docker cp mailserver:/etc/dovecot/conf.d/10-master.conf ./config/dovecot/10-master.conf`
+
 ```yaml
 services:
  mail:
@ -45,7 +47,7 @@ services:
 To debug your dovecot configuration you can use:

 - This command: `./setup.sh debug login doveconf | grep <some-keyword>`
- Or: `docker exec -it <your-container-name> doveconf | grep <some-keyword>`
+- Or: `docker exec -it mailserver doveconf | grep <some-keyword>`

 !!! note
    [`setup.sh`][github-file-setupsh] is included in the `docker-mailserver` repository. Make sure to grap the one matching your image version.
@ -53,7 +55,7 @@ To debug your dovecot configuration you can use:
 The `config/dovecot.cf` is copied internally to `/etc/dovecot/local.conf`. To check this file run:

 ```sh
-docker exec -it <your-container-name> cat /etc/dovecot/local.conf
+docker exec -it mailserver cat /etc/dovecot/local.conf
 ```

 [github-file-setupsh]: https://github.com/docker-mailserver/docker-mailserver/blob/master/setup.sh
--- a/docs/content/config/security/mail_crypt.md
+++ b/docs/content/config/security/mail_crypt.md
@ -0,0 +1,77 @@
+---
+title: 'Security | mail_crypt (email/storage encryption)'
+---
+
+!!! info
+ 
+    The Mail crypt plugin is used to secure email messages stored in a Dovecot system. Messages are encrypted before written to storage and decrypted after reading. Both operations are transparent to the user.
+
+    In case of unauthorized access to the storage backend, the messages will, without access to the decryption keys, be unreadable to the offending party.
+
+    There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
+
+Official Dovecot documentation: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
+
+---
+
+## Basic Setup
+
+1. Before you can enable mail_crypt, you'll need to copy out several dovecot/conf.d files to the host (from a running container) and then take the container down:
+    ```bash
+    mkdir -p config/dovecot
+    docker cp mailserver:/etc/dovecot/conf.d/20-lmtp.conf config/dovecot/
+    docker cp mailserver:/etc/dovecot/conf.d/20-imap.conf config/dovecot/
+    docker cp mailserver:/etc/dovecot/conf.d/20-pop3.conf config/dovecot/
+    docker-compose down
+    ```
+2. You then need to [generate your global EC key](https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#ec-key).
+3. The EC key needs to be available in the container. I prefer to mount a /certs directory into the container: 
+    ```yaml
+    services:
+      mailserver:
+        image: docker.io/mailserver/docker-mailserver:latest
+        volumes:
+        . . .
+          - ./certs/:/certs
+        . . .
+    ```
+4. While you're editing the docker-compose.yml, add the configuration files you copied out:
+    ```yaml
+    services:
+      mailserver:
+        image: docker.io/mailserver/docker-mailserver:latest
+        volumes:
+        . . .
+          - ./config/dovecot/20-lmtp.conf:/etc/dovecot/conf.d/20-lmtp.conf
+          - ./config/dovecot/20-imap.conf:/etc/dovecot/conf.d/20-imap.conf
+          - ./config/dovecot/20-pop3.conf:/etc/dovecot/conf.d/20-pop3.conf
+          - ./certs/:/certs
+        . . .
+    ```
+5. The `mail_crypt` plugin, unless you're using a non-standard configuration of docker-mailserver, should be enabled on both `lmtp` and `imap`. You'll want to edit three different files:
+    - `./config/dovecot/20-lmtp.conf`
+      ```
+      protocol lmtp {
+        mail_plugins = $mail_plugins sieve mail_crypt
+        plugin {
+          mail_crypt_global_private_key = </certs/ecprivkey.pem
+          mail_crypt_global_public_key = </certs/ecpubkey.pem
+          mail_crypt_save_version = 2
+        }
+      }
+      ```
+    - `./config/dovecot/20-imap.conf`
+      ```
+      protocol imap {
+        mail_plugins = $mail_plugins imap_quota mail_crypt
+        plugin {
+          mail_crypt_global_private_key = </certs/ecprivkey.pem
+          mail_crypt_global_public_key = </certs/ecpubkey.pem
+          mail_crypt_save_version = 2
+        }
+      }
+      ```
+    - If you use pop3, make the same changes in `20-pop3.conf`
+6. Start the container and monitor the logs for any errors
+
+This should be the minimum required for encryption of the mail while in storage.