Jeremy
2023-Feb-21 22:29 UTC
Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?
On Tuesday, February 21st, 2023 at 09:54, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> > On 16/02/2023 07:18 EET mailinglist-subscriptions mailinglist-subscriptions at protonmail.com wrote: > > > > Hi, > > > > I am using dovecot 2.3.16, along with postfix and a PostgreSQL database for managing virtual accounts. > > > > I'd like to start using the mail-crypt plugin. However, I'm having a bit some difficulty understanding the documentation at > > > > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin > > > > to reach my goal. I plan to ask questions about those issues by starting new threads in this mailing list. But before I even come to that, I'd like to investigate the following: > > > > The above documentation only addresses a clean install and doesn't seem to mention encrypting already existent unencrypted mails, like my server has. Is it possible to encrypt those before I start using the mail-crypt plugin, such that it will be able to decrypt those messages as well? > > > > If it is, I am assuming that how I would go about achieving that will be very dependent on the ultimate configuration I have in mind (pub/priv keys, etc.). So I don't expect a full-fledged guide. However, if you could perhaps give a general overview of what would be needed to achieve this, I would very much appreciate that. > > > > Thank you. > > > It will be easiest to do migration to new server, then the data will get encrypted while migrating. It is possible to write a script to do this, but will be much more hassle than migration. > > You might even be able to do it for one user at a time, by doing migration from maildir to maildir and then moving the new maildir over the old one. > > AkiThanks for the suggestion. However, migrating sounds like quite the hassle as well. Now, I have next to no knowledge about the synchronization workings of IMAP, so perhaps this is totally infeasible, but could the following work? - Preface I am the only user of the mail server, with one virtual catch-all account for each domain I own. I access these accounts with Thunderbird. - Solution I make a backup of all mail in my Thunderbird accounts. Then I either delete all mails from within Thunderbird, or on the server. Then I configure the mail-crypt plugin. And then I import all backup mails and folders into my Thunderbird accounts again? Could that work? Or would that mess up the synchronization history (message IDs and what not)? And most importantly, if it actually could work, would the messages be properly encrypted then?
Ben Burk
2023-Feb-21 23:49 UTC
Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?
I would definitely get mail-crypt working on your system before worrying about encrypting existing emails. Iirc dovecot should support both types of files (encrypted, and non-encrypted) concurrently. So BEFORE you try anything, make sure via logs, etc that mail is being written to the fs as an encrypted file and that dovecot is able to decrypt it (i.e. you are able to view that particular mail file from your email client). My specific use case way back was to encrypt a maildir system using this plugin a year or so ago. I believe there are 2 ways to set mail-crypt up. Using global keys or folder-specific keys. What you will learn going through this process using folder-specific keys is that any time mail is moved (from an IMAP directory to another) the mail becomes effectively re-encrypted using the destination's folder keys. I imagine how this works under global keys is that the mail is encrypted once when it is moved, then never again unless keys change. So all you would need to do to encrypt existing mail using either method would be to create a temp imap folder, move mail from each IMAP folder one at a time into this temp folder, then back to the original IMAP folder. I had a few questions at the time in implementing this, so I've linked here the dovecot mailing list thread so it might provide some context if needed: https://dovecot.org/pipermail/dovecot/2021-July/122469.html On 2/21/23 16:29, Jeremy wrote:> On Tuesday, February 21st, 2023 at 09:54, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > >>> On 16/02/2023 07:18 EET mailinglist-subscriptions mailinglist-subscriptions at protonmail.com wrote: >>> >>> Hi, >>> >>> I am using dovecot 2.3.16, along with postfix and a PostgreSQL database for managing virtual accounts. >>> >>> I'd like to start using the mail-crypt plugin. However, I'm having a bit some difficulty understanding the documentation at >>> >>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin >>> >>> to reach my goal. I plan to ask questions about those issues by starting new threads in this mailing list. But before I even come to that, I'd like to investigate the following: >>> >>> The above documentation only addresses a clean install and doesn't seem to mention encrypting already existent unencrypted mails, like my server has. Is it possible to encrypt those before I start using the mail-crypt plugin, such that it will be able to decrypt those messages as well? >>> >>> If it is, I am assuming that how I would go about achieving that will be very dependent on the ultimate configuration I have in mind (pub/priv keys, etc.). So I don't expect a full-fledged guide. However, if you could perhaps give a general overview of what would be needed to achieve this, I would very much appreciate that. >>> >>> Thank you. >> >> It will be easiest to do migration to new server, then the data will get encrypted while migrating. It is possible to write a script to do this, but will be much more hassle than migration. >> >> You might even be able to do it for one user at a time, by doing migration from maildir to maildir and then moving the new maildir over the old one. >> >> Aki > Thanks for the suggestion. However, migrating sounds like quite the hassle as well. > > Now, I have next to no knowledge about the synchronization workings of IMAP, so perhaps this is totally infeasible, but could the following work? > > - Preface > I am the only user of the mail server, with one virtual catch-all account for each domain I own. I access these accounts with Thunderbird. > > - Solution > I make a backup of all mail in my Thunderbird accounts. Then I either delete all mails from within Thunderbird, or on the server. Then I configure the mail-crypt plugin. And then I import all backup mails and folders into my Thunderbird accounts again? > > Could that work? Or would that mess up the synchronization history (message IDs and what not)? And most importantly, if it actually could work, would the messages be properly encrypted then? >
Seemingly Similar Threads
- Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?
- Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?
- Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password