content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: mail_crypt section

content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md

@@ -28,8 +28,8 @@ ports](#unblock-your-ports).
 
 I'll cut to the chase: the main reason why you'd want to run your own mail server is for related reasons of privacy and
 digital sovereignty. For privacy benefits, as much as you have control over your server, you can protect your email
-from the eyes of prying server admins (given that you yourself are the admin). Even for email providers that market
+from the eyes of prying server admins (given that you yourself are the admin). Even email providers that market
-themselves around privacy such as Protonmail, rely on trust that Proton are not reading your unencrypted incoming
+themselves around privacy (e.g. Protonmail) rely on trust that the provider is not reading your unencrypted incoming
 email. This is not an issue exclusive to any particular mail provider; if information arrives unencrypted at a server,
 those with access to the server (i.e. administrators) can read that information, simple as. And as nice as it would be
 if everyone used GPG end-to-end encryption for email, the vast majority of emails people receive are not end-to-end
@@ -741,6 +741,63 @@ get an error message when restarting.
     # rc-update add dovecot default
     # rc-service dovecot start
 
+## mail\_crypt
+
+Dovecot has a [mail\_crypt plugin](https://doc.dovecot.org/main/core/plugins/mail_crypt.html) which implements
+**transparent** encryption at rest for mail. By transparent, I mean "invisible" to email clients; you can use an IMAP
+client with your server with no changes, and no difference in user experience. Mail is decrypted on the server and sent
+over IMAP.
+
+We will optionally set up global key mail\_crypt encryption. This does not provider protection against an attacker with
+root access, or full disk access (which is basically root access), however it can protect against other processes
+reading our mail since they can't read the private key.
+
+If you want to implement it, declare usage of the `mail_crypt` plugin in `/etc/dovecot/dovecot.conf`:
+
+```conf
+mail_plugins = $mail_plugins mail_crypt
+```
+
+Now let's generate some elliptic curve keys for this.
+
+See what curves are available:
+
+    $ openssl ecparam -list_curves
+
+If we pick `prime256v1` as our curve, then run:
+
+    $ openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
+
+to generate the private key. To generate the public key:
+
+    $ openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
+
+Now move these keys to `/etc/dovecot/` and make sure they are owned by `dovecot`:
+
+    # mv ecpubkey.pem /etc/dovecot
+    # mv ecprivkey.pem /etc/dovecot
+    # chown dovecot:dovecot ecpubkey.pem ecprivkey.pem
+
+Give them the correct permissions:
+
+    $ cd /etc/dovecot
+    # chmod 644 ecpubkey.pem
+    # chmod 600 ecprivkey.pem
+
+Anyway, create and edit `/etc/dovecot/conf.d/90-mail_crypt.conf` and configure the plugin as follows:
+
+```conf
+plugin {
+    mail_crypt_global_private_key = </etc/dovecot/ecprivkey.pem
+    mail_crypt_global_public_key = </etc/dovecot/ecpubkey.pem
+    mail_crypt_save_version = 2
+}
+```
+
+Restart Dovecot for the changes to take effect:
+
+    # rc-service dovecot restart
+
 # Use a local email client
 
 You are now ready to try logging in on a local email client such as Thunderbird, Evolution, Geary, KMail, etc.
@@ -1149,7 +1206,7 @@ indicating whether or not the email has passed DKIM authentication.
 
 Send a test email from your domain and look at the email headers of the sent email.
 
-``` {hl_lines=[1,11,23]}
+```plaintext {linenos=false,hl_lines=[1,11,23]}
 Return-Path: <pid1@revsuine.xyz>
 Received: from master.revsuine.xyz (master.revsuine.xyz. [93.113.25.226])
         by mx.google.com with ESMTPS id ffacd0b85a97d-3825fb5a132si1538595f8f.66.2024.11.22.08.53.01