[Dovecot] Encryption solution for messages at rest

Ron Leach ronleach at tesco.net
Mon Oct 28 21:39:22 EET 2013


On 28/10/2013 19:14, Douglas Mortensen wrote:
>
> So.... given that type of scenario, if filesystem permissions
> weren't correct, or some new exploit surfaced that allowed someone
> bypass or elevate to root, then they could theoretically have
> access to the entire fileystem including where emails are stored.
>
> ...
 >
> However, it would be nice to know that even if we were breached,
> the emails on the server were encrypted and would be completely
> useless to an attacker.
>
> This type of encryption is ideal and some regulations prefer
> (although don't require) it.

OK, but encryption will only help if the bad guy, who gets elevated to 
root, can not access the decryption keys.  But you initially suggested 
Dovecot has to decrypt the mails, so I would think root access would 
be able to obtain keys and run (in some manner) suitable decryption, 
even if offline back in its lair.

And this brings me to something I wanted to ask from your first post - 
and please forgive a basic question.  Why does Dovecot need to decrypt 
the messages?  Why could not the messages be encrypted, and only the 
clients decrypt them - this way only the clients would have the 
decryption keys and the bad root-guy can't get the keys.

Is true that Dovecot needs access to mails in clear?  If yes, what 
part of the mails does Dovecot need in clear - might clear 'headers' 
be sufficient for its purposes, so that message content remains encrypted?

Such a scenario might require all users (or, maybe, just those users 
that wanted this facility) to ensure they had suitable clients, maybe 
Thunderbird with a suitable plug-in, or maybe a special-purpose 
client.  And whatever public email server you (or the customers) are 
running would have to encrypt public email on receipt, and decrypt on 
public transmission, but 'in-company' email within each customer could 
remain encrypted, anyway.

Such a scheme would depend, though, on the extent to which Dovecot 
does require access to mail 'content' (in addition to Dovecot 
housekeeping data such as time of receipt, read status, index value, etc).

Hence the question, does Dovecot need access to mail in clear?

regards, Ron


More information about the dovecot mailing list