Harddrive, Folder and Database encryption for hMailServer

This section contains user-submitted tutorials.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 1492
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Harddrive, Folder and Database encryption for hMailServer

Post by Dravion » 2018-11-22 14:31

Lately we as Admins are challenged by new regulations like PCI DSS and GDPR

One of the recommendations or even requirements can be full or Partwise Diskencryption.
Emails, IP-Addresses, Email plus Attachements are now considered as Personaldata and must be stored in a secure way.
Since Windows Vista (only for non Home, Home Premium, Basic and Starter Editions) called Bitlocker. Bitlocker will only encrypt entire
Hardrives and has no selective mode and requires a Hardware TPM Chip on your Mainboard (or a Tricky workarround on it) to be enabled.
Also, Bitlocker isnt OpenSource and on Windows 10 it will automatically save a DeEncryption Certificate to your Microsofts Cloud "OneDrive"
which cannot be avoided without tricks. Its also not known if someone else has a Backdor into Bitlocker so i recommend a robust, transparent, OpenSource alternative instead of Bitlocker and here it is:

VeraCrypt
Many of you know Truecrypt which development has stalled in 2007 but development as OpenSource-Project has continued by a few
Projects since them.VeraCrypt is in 2018 the most active Development and even the original Author of TrueCrypt is involved in it.It is
mature and Battleproven and has improved a lot since the Truecrypt day, so this Tutorial will reflect mainly VeraCrypt Version 1.23
Your can download it from: https://www.veracrypt.fr/en/Downloads.html

What can VeraCrypt do for you?
*It can Encrypt Containers which will be avaible as Drive letters and it can enrypt whole Hardisk Partitions

Attention:
Any form of File Encryption and DeIncryption requires computation and can stress your CPU out, so decide wisely what to encrypt!

hMailServer encryption with VeraCrypt
hMailServer stores its DATA by default into its own folder , into a Subfolder DATA, which must be encrypted in any case. It conains
EML Files, which contains the entire Mailtext plus Headerinformations and even Base64 encoded (not encrypted) Attachements like PDF's,
Pictures, Documents ect). There is also the Databasefolder, wich is only relevant if you use MS-SQL-CE

The following list shows what should be transparently encrypted by VeraCrypt

hMailServer with MS-SQL-CE
[Installlocation]\hMailServer\Data
[Installlocation]\hMailServer\Database
Or the entire hMailServer folder with all its subfolders

hMailServer with MS-SQL-Server (2008 SP4 -> 2017 Express Standard and Enterprise)
[Installlocation]\hMailServer\Data
C:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL (if its for example SQLServer 2017 Express)

hMailServer with Oracle MySQL 5.7 and higher (8.0 Included)
[Installlocation]\hMailServer\Data
C:\ProgramData\MySQL\MySQL Server 8.0\Data

hMailServer with PostgreSQL 10 and higher
[Installlocation]\hMailServer\Data
C:\Program Files\PostgreSQL\10\data

Begin of Tutorial

Install hMailServer
Install hMailServer as usual or use a preinstalled (32-Bit version, the official hMailServer version), install it for this Tutorial with the
integrated MS-SQL-CE Database. Your can adapt it to your needs for other Databasesystems folder as you need.

Install VeraCrypt
01) DoubleClick the VeraCrypt Installer VeraCrypt Setup 1.23
02) Follow the generic Install instructions until the Software is installed", click finish
03) Goto Windows File Explorer and Create 2 Folders 1) C:\VeraCryptContainers and VeraCryptKeyFiles
04) On your Windows Desktop, click the VeraCrypt Icon and Start VeraCrypt GUI
05) In Mainmenue goto the Settings and click "Default Keyfiles..." and select "Try first to mount with empty Password"
06) Click the "Generate Random Keyfile..." Button
07) In the "Keyfiles base name" inputfield type in: hMailServerContainerKey and click the "Generate and Save Keyfile"
08) Choose in the "Browse for Folder" Dialog the Folder C:\VeraCryptKeyFiles and click the "OK" Button and click Close
09) In the VeraCrypt - Keyfiles Dialog click "Add Files..." Button and add C:\VeraCryptKeyFiles\hMailServerContainerKey
10) Click the "OK" Button and Click yes on the next VeraCrypt Warning Dialogbox
11) Click the "Create Volume" Button in VeraCrypt Mainmenue, accept settings and Click Next and again next
12) In the Volume Location Dialog type in: C:\VeraCryptContainers\hMailServerContainer
13) Accept in the Next Dialog defaults and click Next and in Volume Size select MB and type in 512 and click "Next"
14) As Volume Password use choose "Use keyfiles.." and select C:\VeraCryptKeyFiles\hMailServerContainerKey
15) Leave Password and Confirm inputfiles empty and click "Next" Button
16) In Volume Format choose NTFS, click the "Format" Button and wait, click "Yes" in the Popup for UAC Permissions
17) Click OK if the Popup "The VeraCrypt volume has been successfully created." and Click the "Exit" Button
18) Select Drive letter "Q:" and click the "Mount" Button
19) Right click the Q:C:\VeraCrypt ...." entry and click "Add to Favorites..."
20) Select "Mount" selected volume upon logon and click the "OK" Button and Exit in the Maindialog

Now you have a new VeraCrypt encrypted Drive Q:\ but to make sure it is successfulle mounted on Systemstart restart your Computer
and check if it really works. If everything works as expected, we can move your hMailServer DATA and Databasefolder location
and edit your hMailServer.ini as shown in the Screenshot below.

WARNING:
Resist the idea, installing hMailServer completely on your new encypted Drive letter Q:\ because your hMailServer service will
fail on Automatic startup because i needs a Moment until the Q: Drive becomes avaiable, which is to late, even if you use
"Deferred Automatic start for hMailServer

Formating the encrypted Container
hMS_VC_Format.png
If everything works as expected, you have a new automounted Encrypted VeraCrypt Drive Q:\ for your hMailServer Data.
hMS_VC_Overall.jpg
End of Tutorial

User avatar
katip
Senior user
Senior user
Posts: 703
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Harddrive, Folder and Database encryption for hMailServer

Post by katip » 2018-11-22 21:34

thanks for suggestion. Veracrypt is indeed valuable.

IMO it's a better idea to encrypt entire system partition (C:) which mounts upon start and before Windows loads. otherwise, IIRC Veracrypt requires a (Win)logon to mount encrypted containers. On a server system this is usually not a preferred option i think.

On the other hand, encrypting system partition requires physical access during boot, in fact decryption password must be entered to boot at all. On a remote administered server (RDP) this will be a problem, for example when rebooting is needed after an OS update.

In any case, Veracrypt rocks as an excellent security tool. Can read/write older TrueCrypt volumes too (100% compatible with TC), actually it's a fixed and further developed TrueCrypt with a different name. Project is quite alive and well supported. indispensable for my mission critical laptop + external HDs/flashs since TC times...
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
Dravion
Senior user
Senior user
Posts: 1492
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Harddrive, Folder and Database encryption for hMailServer

Post by Dravion » 2018-11-22 22:13

Hi Kati,
The Automounter mounts the Container automatically upon Systemstart without
Userinput (via Keyfile) and its works with hMailServer if no Windows Password is set or a specific Windows User uses Autologon. But if i ReEnable Windows Password Logon it could be a Problem.

For Server Scenarios a Non-System encrypted
Harddisk Partition could be the Solution, because it doesnt need a Password like if the Systempartition
is encrypted and the VeraCrypt Bootloader needs some Userinput first before Windows is starting.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Harddrive, Folder and Database encryption for hMailServer

Post by mattg » 2018-11-22 22:56

Good write up thanks Dravion

Also, the data directory and database directory used by hMailserver can be changed in the hmailserver.ini

You could set these to the VeraCrypt folders, but you may need to check user permissions for this folder for the user that runs the hMailserver service

This is similar to what happens if you use a NAS or SAN for your data directory

Dravion wrote:
2018-11-22 14:31
Lately we as Admins are challenged by new regulations like PCI DSS and GDPR

One of the recommendations or even requirements can be full or Partwise Diskencryption.
Emails, IP-Addresses, Email plus Attachements are now considered as Personaldata and must be stored in a secure way.
Since Windows Vista (only for non Home, Home Premium, Basic and Starter Editions) called Bitlocker. Bitlocker will only encrypt entire
Hardrives and has no selective mode and requires a Hardware TPM Chip on your Mainboard (or a Tricky workarround on it) to be enabled.
Also, Bitlocker isnt OpenSource and on Windows 10 it will automatically save a DeEncryption Certificate to your Microsofts Cloud "OneDrive"
which cannot be avoided without tricks. Its also not known if someone else has a Backdor into Bitlocker so i recommend a robust, transparent, OpenSource alternative instead of Bitlocker and here it is:

VeraCrypt
Bitlocker is an integrated Microsoft component so should be safe to use (well as safe as the underlying OS, anyway). I have OneCloud disconnected at worst, and uninstalled where I can - uninstalling it is getting harder and harder, and some windows 10 updates re-install or re-active it - but that is a different discussion.

VeraCrypt looks interesting though, I will take a look.

Also, as an aside I have seen some techs say that they would rather not use any OPEN SOURCE software for any security application. This I think comes from the New Years Eve coding debacle at OpenSSL a few years back that created Heartbleed. A real issue for open source when a) google found and published the exploit, and b) the NSA reported knowing about it for up to 9 months.

But if you won't use open source, then you won't use hMailserver (or Postfix or EXIM etc), right?

Obviously, you choose Open Source (as do I), but what about the proprietary Operating System...?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1492
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Harddrive, Folder and Database encryption for hMailServer

Post by Dravion » 2018-11-22 23:20

mattg wrote:
2018-11-22 22:56
Good write up thanks Dravion
thx^^
Also, the data directory and database directory used by hMailserver can be changed in the hmailserver.ini

You could set these to the VeraCrypt folders, but you may need to check user permissions for this folder for the user that runs the hMailserver service

This is similar to what happens if you use a NAS or SAN for your data directory
Yes, but as long its a mapped Drive to Q:\ without special permissions, it works (i checkd every step)
but for NAS and Windows Server a Non-System Drive Partition might be the better Solution as a Encryped Container Drive.
This I think comes from the New Years Eve coding debacle at OpenSSL a few years back that created Heartbleed. A real issue for open source when a) google found and published the exploit, and b) the NSA reported knowing about it for up to 9 months.
Completely 100% agree.
Thats why the OpenBSD UNIX Team (which is highly respected for its Security Skills) forked OpenSSL in 2014 and rewrote it, improved it and made it avaisble (also for Windows) and it works verry well with hMailServer.I try to convice Martin to use it by default but as you know, he is busy.
Obviously, you choose Open Source (as do I), but what about the proprietary Operating System...?
I work on the Linux port, but its a hugh load of work.
The Server core code alone is somewhat about 200.000 Lines of code. But on any failed built i understand more what not to do ;~

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Harddrive, Folder and Database encryption for hMailServer

Post by mattg » 2018-11-22 23:59

Just looked at VeraCrypt

Those people are seriously tin foil hat types - they really take this stuff very seriously
https://www.idrix.fr/VeraCrypt/canary.txt

I was checking my firewall logs the other day and found something really interesting
One of the DNS servers that I query for some of the DNSBL lists in hmailserver is identified as a DoD server in the USA
https://gwhois.org/192.112.36.4+dns

Should I go and buy some foil to make a hat?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1492
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Harddrive, Folder and Database encryption for hMailServer

Post by Dravion » 2018-11-23 15:26

Yeah, they are serious :D

By the way, its true. The VeraCrypt Q:\ doesnt comes up automatically until

By the way, its true, that a Password protected Windows user prevents hMailServer service from starting because the Q:\ drive isnt
ready. At least a user has to login, restart the hMailServer and Logoff from Windows, this will leave the Q:\ avaiable.

However, this Solutions isnt usefull for Windows Server User, so i write a Tutorial using VeraCrypt encrypting a Windows (Non-System)
NTFS-Partition, which doesnt have such Problems and are Reboot/Restart safe.

User avatar
katip
Senior user
Senior user
Posts: 703
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Harddrive, Folder and Database encryption for hMailServer

Post by katip » 2018-11-23 21:17

Hi Dravion,

there is a "System Favorite Volumes" thing in VeraCrypt which offers automounting (non-sys)containers before Windows loads. however again it requires system partition/drive to be encrypted, i.e. manually entering a pre-boot password to start the box.
could be useful on remote administrated server systems unless a reboot is needed.
never tried it.
https://www.veracrypt.fr/en/System%20Fa ... lumes.html
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
Dravion
Senior user
Senior user
Posts: 1492
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Harddrive, Folder and Database encryption for hMailServer

Post by Dravion » 2018-11-23 21:40

I have tested this feature, its says "its not avaiable at this time" even for formatted Windows System Partitions and even
if you have only a C: Drive and encrypt the whole C:\ Drive with Windows and everything on it. As soon as i found out, i looked up the
Documentation and the Forum but there is no furter info why it doesnt work. I contacted the VeraCrypt support and described the Problem.
The "its not avaiable for this type of Encryption" Messages comes up if you try to enable the feature and load a key.

I think is primary for Linux users but its not functional on Windows right now.

mats
New user
New user
Posts: 26
Joined: 2018-05-06 20:58

Re: Harddrive, Folder and Database encryption for hMailServer

Post by mats » 2018-12-23 18:17

Just to clarify.

Win 8 and above will store a bitlocker key in onedrive if you log on with an MS account during installation. If you choose a local account it won't (it won't default arm bitlocker either).
IF the box is joined to an AD domain it's controllable by GPO

If you just would like to encrypt a file or a folder on a windows box without third party tools you can on pro or better by using EFS.

My definition is that bitlocker is anti-theft. IE the burglar that takes the box can't get access to the data. An admin can log on to the box and read you data anyway.
EFS is information protection. No one without access to the Efs key can access the data.

Post Reply