Dovecot: Difference between revisions
Add info about enabling encryption at rest with mail_crypt plugin |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
This article is about [https://www.dovecot.org/ dovecot], a secure imap server. | This article is about [https://www.dovecot.org/ dovecot], a secure imap server. | ||
__TOC__ | |||
== mail_crypt plugin (encryption at rest) == | |||
The following seems to make mail_crypt work in its per-user/per-folder mode (note that this mode is still described as 'not production quality' in the dovecot docs): | |||
<pre> | |||
security.pam.services.dovecot2 = { }; # needed as we disable PAM below | |||
services.dovecot2 = { | |||
enable = true; | |||
enablePAM = false; # need to disable this as we redefine passdb | |||
mailPlugins.globally.enable = [ "mail_crypt" ]; | |||
pluginSettings = { | |||
mail_crypt_curve = "secp521r1"; | |||
mail_crypt_save_version = "2"; | |||
mail_crypt_require_encrypted_user_key = "yes"; | |||
}; | |||
extraConfig = '' | |||
mail_attribute_dict = file:%h/.attributes | |||
userdb { | |||
driver = passwd | |||
} | |||
passdb { | |||
driver = pam | |||
override_fields = userdb_mail_crypt_private_password=%{sha256:password} userdb_mail_crypt_save_version=2 | |||
args = failure_show_msg=yes dovecot2 | |||
} | |||
''; | |||
}; | |||
</pre> | |||
== Troubleshooting == | == Troubleshooting == | ||
=== sievec fails to compile basic sieve scripts | === sievec fails to compile basic sieve scripts === | ||
Sieve commands such as ''fileinto'' need to be enabled explicitly with: | |||
<syntaxhighlight lang="nix">services.dovecot2.sieve.globalExtensions = ["fileinto"];</syntaxhighlight> | <syntaxhighlight lang="nix">services.dovecot2.sieve.globalExtensions = ["fileinto"];</syntaxhighlight> | ||
Latest revision as of 18:16, 11 February 2025
This article is about dovecot, a secure imap server.
mail_crypt plugin (encryption at rest)
The following seems to make mail_crypt work in its per-user/per-folder mode (note that this mode is still described as 'not production quality' in the dovecot docs):
security.pam.services.dovecot2 = { }; # needed as we disable PAM below
services.dovecot2 = {
enable = true;
enablePAM = false; # need to disable this as we redefine passdb
mailPlugins.globally.enable = [ "mail_crypt" ];
pluginSettings = {
mail_crypt_curve = "secp521r1";
mail_crypt_save_version = "2";
mail_crypt_require_encrypted_user_key = "yes";
};
extraConfig = ''
mail_attribute_dict = file:%h/.attributes
userdb {
driver = passwd
}
passdb {
driver = pam
override_fields = userdb_mail_crypt_private_password=%{sha256:password} userdb_mail_crypt_save_version=2
args = failure_show_msg=yes dovecot2
}
'';
};
Troubleshooting
sievec fails to compile basic sieve scripts
Sieve commands such as fileinto need to be enabled explicitly with:
services.dovecot2.sieve.globalExtensions = ["fileinto"];
Otherwise, the sievec command will fail to compile sieve scripts with fileinto statements and as a result the Dovecot service itself will fail to start if the configuration contains services.dovecot2.sieve.scripts.