Can I Encrypt Dovecot mails, How to encrypt Dovecot emails ?

Posted on April 1, 2025 by in Uncategorized

Yes, you can encrypt Dovecot Mails, while allowing users to access them normally upon login. The best approach is Dovecot Mail Crypt Plugin, which enables per-user mail encryption at rest.

How It Works

  • Emails are encrypted before being written to disk.
  • When a user logs in, emails are decrypted on-the-fly using their credentials.
  • The encryption keys are stored securely and never written in plaintext.

Steps to Encrypt Stored Emails in Dovecot

1. Install Required Packages

Ensure you have Dovecot with the mail-crypt plugin installed. If not, install it:

sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-mail-crypt

2. Enable the Mail Crypt Plugin

Edit your Dovecot config file (/etc/dovecot/conf.d/10-mail.conf) and add:

mail_plugins = $mail_plugins mail_crypt

For LMTP (Local Mail Transfer Protocol), enable the plugin in /etc/dovecot/conf.d/20-lmtp.conf:

protocol lmtp {
    mail_plugins = $mail_plugins mail_crypt
}

For IMAP, enable it in /etc/dovecot/conf.d/20-imap.conf:

protocol imap {
    mail_plugins = $mail_plugins mail_crypt
}

3. Configure Encryption Keys

Edit /etc/dovecot/conf.d/10-mail-crypt.conf (create if missing) and set:

plugin {
    mail_crypt_global_private_key = </etc/dovecot/private_key.pem
    mail_crypt_global_public_key = </etc/dovecot/public_key.pem
}

Generate RSA keys:

openssl genpkey -algorithm RSA -out /etc/dovecot/private_key.pem
openssl rsa -in /etc/dovecot/private_key.pem -pubout -out /etc/dovecot/public_key.pem
chmod 600 /etc/dovecot/private_key.pem

4. Enable Per-User Encryption

Edit /etc/dovecot/conf.d/90-mail-crypt.conf:

plugin {
    mail_crypt_save_version = 2
    mail_crypt_require_encrypted_user_key = yes
}

This ensures that emails are only readable by the user who owns them.

5. Restart Dovecot

Apply the changes:

sudo systemctl restart dovecot

How It Works for Users

  • When an email is received, it’s encrypted before being stored.
  • When the user logs in via IMAP/POP3, Dovecot decrypts it on-the-fly.
  • If a hacker gains access to the VPS, the emails remain useless without the private keys.

Alternative: Full-Disk Encryption (FDE)

If you don’t want per-user encryption but still want security, you can:

  • Use LUKS encryption on the mail storage disk.
  • Set up encfs or eCryptfs for encrypted mail directories.

However, Dovecot’s mail-crypt is the best method for user-specific encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *