Thanks for the link. That sounds like the most hassle-free approach for me (since I don't have much mail yet). I think I'll give that a shot. And I'll be sure to make a backup first.
PS: apologies to Aki by the way, for accidentally replying directly to you earlier as well. I can't get protonmail to reply to the mailing list only, without manually adjusting it. Also apologies for answering above the message now, when I answered underneath the message first. Since I don't see a consistent style in this mailing list I'll use my preferred style of answering above messages from now on. On Wednesday, February 22nd, 2023 at 00:49, Ben Burk <b...@burk.tech> wrote: > I would definitely get mail-crypt working on your system before worrying > about encrypting existing emails. Iirc dovecot should support both types > of files (encrypted, and non-encrypted) concurrently. So BEFORE you try > anything, make sure via logs, etc that mail is being written to the fs > as an encrypted file and that dovecot is able to decrypt it (i.e. you > are able to view that particular mail file from your email client). > > My specific use case way back was to encrypt a maildir system using this > plugin a year or so ago. I believe there are 2 ways to set mail-crypt > up. Using global keys or folder-specific keys. What you will learn going > through this process using folder-specific keys is that any time mail is > moved (from an IMAP directory to another) the mail becomes effectively > re-encrypted using the destination's folder keys. I imagine how this > works under global keys is that the mail is encrypted once when it is > moved, then never again unless keys change. So all you would need to do > to encrypt existing mail using either method would be to create a temp > imap folder, move mail from each IMAP folder one at a time into this > temp folder, then back to the original IMAP folder. > > I had a few questions at the time in implementing this, so I've linked > here the dovecot mailing list thread so it might provide some context if > needed: > > https://dovecot.org/pipermail/dovecot/2021-July/122469.html > > > On 2/21/23 16:29, Jeremy wrote: > > > On Tuesday, February 21st, 2023 at 09:54, Aki Tuomi > > aki.tu...@open-xchange.com wrote: > > > > > > On 16/02/2023 07:18 EET mailinglist-subscriptions > > > > mailinglist-subscripti...@protonmail.com wrote: > > > > > > > > Hi, > > > > > > > > I am using dovecot 2.3.16, along with postfix and a PostgreSQL database > > > > for managing virtual accounts. > > > > > > > > I'd like to start using the mail-crypt plugin. However, I'm having a > > > > bit some difficulty understanding the documentation at > > > > > > > > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin > > > > > > > > to reach my goal. I plan to ask questions about those issues by > > > > starting new threads in this mailing list. But before I even come to > > > > that, I'd like to investigate the following: > > > > > > > > The above documentation only addresses a clean install and doesn't seem > > > > to mention encrypting already existent unencrypted mails, like my > > > > server has. Is it possible to encrypt those before I start using the > > > > mail-crypt plugin, such that it will be able to decrypt those messages > > > > as well? > > > > > > > > If it is, I am assuming that how I would go about achieving that will > > > > be very dependent on the ultimate configuration I have in mind > > > > (pub/priv keys, etc.). So I don't expect a full-fledged guide. However, > > > > if you could perhaps give a general overview of what would be needed to > > > > achieve this, I would very much appreciate that. > > > > > > > > Thank you. > > > > > > It will be easiest to do migration to new server, then the data will get > > > encrypted while migrating. It is possible to write a script to do this, > > > but will be much more hassle than migration. > > > > > > You might even be able to do it for one user at a time, by doing > > > migration from maildir to maildir and then moving the new maildir over > > > the old one. > > > > > > Aki > > > Thanks for the suggestion. However, migrating sounds like quite the > > > hassle as well. > > > > Now, I have next to no knowledge about the synchronization workings of > > IMAP, so perhaps this is totally infeasible, but could the following work? > > > > - Preface > > I am the only user of the mail server, with one virtual catch-all account > > for each domain I own. I access these accounts with Thunderbird. > > > > - Solution > > I make a backup of all mail in my Thunderbird accounts. Then I either > > delete all mails from within Thunderbird, or on the server. Then I > > configure the mail-crypt plugin. And then I import all backup mails and > > folders into my Thunderbird accounts again? > > > > Could that work? Or would that mess up the synchronization history (message > > IDs and what not)? And most importantly, if it actually could work, would > > the messages be properly encrypted then?