Protect Dovecot encryption keys

lnxgeek

I love the idea that Dovecot default encrypt the mail files at rest on the disk.

But is it possible to protect the encryption files in such a way that someone with access to the disk can’t just decrypt the files?
I know it will require a prompt to enter a password and it will make a server reboot a manual process, but it will be really awesome add this layer of protection and make it just a bit harder to get to the mails.

esackbauer

That is dependent on your Linux, not mailcow. Just use full disk encryption.

lnxgeek

I had that idea but it is not easy to implement on a VPS.

I like the construction where it is part of the design. If I implement my own design I have to maintain it when there are updates and such.
My reasoning for using mailcow is its beautiful way of collecting all the different pieces into one manageable solution. So, building my own kinda go against it all :-)

esackbauer

Then just encrypt the docker volume “crypt-vol-1”.
That again is something which can be done on Linux. Move that volume to a different partition/file system which you can encrypt.
“all the different pieces into one manageable solution”
That is the reason why it is not included. Something requiring admin intervention to start properly is not best practice.

lnxgeek

esackbauer Good points 👍

lnxgeek

Just to follow up on this one.
I created an encrypted file with cryptsetup (LUKS) and mounted it onto “mailcowdockerized_crypt-vol-1/_data”.
Moved the files from the original “mailcowdockerized_crypt-vol-1” and into the now encrypted one and it just works :-)

All this has of course been done with all containers shutdown.

It was crazy easy which just show how well designed and packaged mailcow is.
The only caveat is that you need to modify the docker-compose.yml and change all “restart: always” to “restart: no”. This stops the services from starting after boot. As you need to manually mount the volume before dovecot can read the keys, every reboot requires manual intervention. This is a little price to pay for protection of the mails.

I have injected a short curl command in the crontab which pings me constantly with Pushover messages until I react:
curl -s -X POST -d token=APP_TOKEN&user=USER_TOKEN&message=Server_rebooted&title=Reboot&priority=2 https://api.pushover.net/1/messages.json

esackbauer

lnxgeek The only caveat is that you need to modify the docker-compose.yml and change all “restart: always” to “restart: no”.

If mailcow is the only thing running on that docker host, you could disable the dockerd to start:
https://docs.docker.com/engine/install/linux-postinstall/#configure-docker-to-start-on-boot-with-systemd

And instead start dockerd manually:
https://docs.docker.com/config/daemon/start/
Then you would not need to change the docker-compose.yml

lnxgeek

But of course 😆
Thanks for yet another great input 👍

lnxgeek

I’ve tried the solution with the Docker daemons and you need to disable docker.sock as well:

systemctl disable docker.service docker.socket

to keep it from starting up.