Encrypted Email Server VPS on Offshore Anubiz Host

Encryption in transit for a mail server means three protocols, SMTP between MTAs, submission from clients on port 587, and IMAP or POP3 retrieval on ports 993 and 995. Anubiz Host offshore VPS supports all of these with current TLS 1.3 ciphers and proper certificate management through Let's Encrypt or a paid CA of your choice. Postfix should enforce smtp_tls_security_level dane or encrypt depending on your tolerance for legacy peers. DANE with TLSA records published in your DNS gives the strongest in-transit guarantees because it pins the expected certificate at the DNS layer and forces opportunistic TLS to verify, not just negotiate. For client submission, configure SASL authentication only over TLS, never plaintext. Dovecot IMAPS should disable any cipher below TLS 1.2 and prefer forward-secret cipher suites. Anubiz Host customer panel surfaces TLS configuration health checks to verify your stack from the outside.

Encryption at rest is two layers. The lower layer is full-disk LUKS encryption on the VPS itself, which protects against an attacker who obtains a raw disk image. Anubiz Host supports LUKS at provisioning, and the passphrase is held by you, not by the provider. Without your passphrase, the disk is not readable even by Anubiz Host operators. The upper layer is Dovecot's mail crypt plugin, which encrypts individual messages on disk using per-user keys derived from the login password. With mail crypt enabled, even an attacker with disk access and the LUKS passphrase still cannot read mail unless they know individual user passwords. For maximum protection, combine both layers with PGP at the client. End-to-end PGP encryption from the sender's client to the recipient's client means the server holds only ciphertext at all times. The server still routes envelopes and signs DKIM, but message bodies are opaque.

Encrypted mail introduces operational trade-offs you should understand before deploying. Server-side full-text search becomes harder if message bodies are encrypted on disk. Dovecot index files contain enough metadata that you can search subject lines and senders, but body search requires either client-side indexing or server-side indexing with a key the server holds, which weakens the at-rest encryption guarantee. Recovery from forgotten passwords is also harder. With mail crypt active and per-user keys, a user who forgets their password loses access to their stored mail because the key cannot be recovered. This is a deliberate property, not a bug. Document the trade-off clearly to your users. PGP at the client layer is the strongest end-to-end model and is fully compatible with any Anubiz Host VPS mail stack. Thunderbird, Apple Mail, K-9 Mail, and most other clients support PGP natively or via plugins.