dovecot - Feb 2023 - Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?

> On 16/02/2023 07:18 EET mailinglist-subscriptions
<mailinglist-subscriptions at protonmail.com> wrote:
> 
>  
> Hi,
> 
> I am using dovecot 2.3.16, along with postfix and a PostgreSQL database for
managing virtual accounts.
> 
> I'd like to start using the mail-crypt plugin. However, I'm having
a bit some difficulty understanding the documentation at
> 
> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin 
> 
> to reach my goal. I plan to ask questions about those issues by starting
new threads in this mailing list. But before I even come to that, I'd like
to investigate the following:
> 
> The above documentation only addresses a clean install and doesn't seem
to mention encrypting already existent unencrypted mails, like my server has. Is
it possible to encrypt those before I start using the mail-crypt plugin, such
that it will be able to decrypt those messages as well?
> 
> If it is, I am assuming that how I would go about achieving that will be
very dependent on the ultimate configuration I have in mind (pub/priv keys,
etc.). So I don't expect a full-fledged guide. However, if you could perhaps
give a general overview of what would be needed to achieve this, I would very
much appreciate that.
> 
> Thank you.
It will be easiest to do migration to new server, then the data will get
encrypted while migrating. It is possible to write a script to do this, but will
be much more hassle than migration.

You might even be able to do it for one user at a time, by doing migration from
maildir to maildir and then moving the new maildir over the old one.

Aki

On Tuesday, February 21st, 2023 at 09:54, Aki Tuomi <aki.tuomi at
open-xchange.com> wrote:

> > On 16/02/2023 07:18 EET mailinglist-subscriptions
mailinglist-subscriptions at protonmail.com wrote:
> > 
> > Hi,
> > 
> > I am using dovecot 2.3.16, along with postfix and a PostgreSQL
database for managing virtual accounts.
> > 
> > I'd like to start using the mail-crypt plugin. However, I'm
having a bit some difficulty understanding the documentation at
> > 
> > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin
> > 
> > to reach my goal. I plan to ask questions about those issues by
starting new threads in this mailing list. But before I even come to that,
I'd like to investigate the following:
> > 
> > The above documentation only addresses a clean install and doesn't
seem to mention encrypting already existent unencrypted mails, like my server
has. Is it possible to encrypt those before I start using the mail-crypt plugin,
such that it will be able to decrypt those messages as well?
> > 
> > If it is, I am assuming that how I would go about achieving that will
be very dependent on the ultimate configuration I have in mind (pub/priv keys,
etc.). So I don't expect a full-fledged guide. However, if you could perhaps
give a general overview of what would be needed to achieve this, I would very
much appreciate that.
> > 
> > Thank you.
> 
> 
> It will be easiest to do migration to new server, then the data will get
encrypted while migrating. It is possible to write a script to do this, but will
be much more hassle than migration.
> 
> You might even be able to do it for one user at a time, by doing migration
from maildir to maildir and then moving the new maildir over the old one.
> 
> Aki
Thanks for the suggestion. However, migrating sounds like quite the hassle as
well.

Now, I have next to no knowledge about the synchronization workings of IMAP, so
perhaps this is totally infeasible, but could the following work?

- Preface
I am the only user of the mail server, with one virtual catch-all account for
each domain I own. I access these accounts with Thunderbird.

- Solution
I make a backup of all mail in my Thunderbird accounts. Then I either delete all
mails from within Thunderbird, or on the server. Then I configure the mail-crypt
plugin. And then I import all backup mails and folders into my Thunderbird
accounts again?

Could that work? Or would that mess up the synchronization history (message IDs
and what not)? And most importantly, if it actually could work, would the
messages be properly encrypted then?