Dovecot - mail_crypt - lmtp-server - no password to decrypt the key

Baljeet Bhinder contact at baljeetbhinder.ca
Mon Jan 9 15:15:46 UTC 2023 

Not sure if that helps in finding conflicting plugin, but here is the success log that saves an unencrypted mail (after disabling mail_crypt).

---- Lmtp Log ----
lmtp(314): Info: Connect from 172.17.0.1
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Started userdb lookup
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=144,uid=0): Client connected (fd=18)
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): auth USER input: someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Finished userdb lookup (username=someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2)
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_save_version=2
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/quota_rule=*:bytes=1024000000
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/:LAYOUT=fs
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: fs: root=/var/vmail/mailboxes/example.com/someone, index=, indexpvt=, control=, inbox=/var/vmail/mailboxes/example.com/someone, alt=
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Mailbox INBOX: Mailbox opened
lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Info: msgid=<4e6b1652-8a1f-892f-af09-b9447dbbfcfd at example.com>: saved mail to INBOX
lmtp(314): Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: User session is finished
lmtp(314): Info: Disconnect from 172.17.0.1: Logged out (state=READY)
---- Lmtp Log Ends ----


January 9, 2023 6:00 AM, "Aki Tuomi" <aki.tuomi at open-xchange.com> wrote:

>> On 08/01/2023 18:55 EET Baljeet Bhinder <contact at baljeetbhinder.ca> wrote:
>> 
>> I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin
>> lately. I tried what is describe here
>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin and I went for global-keys as
>> described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys
>> "A good solution for environments where no user folder sharing is needed is to generate per-user EC
>> key pair and encrypt that with something derived from user’s password."
>> 
>> I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version
>> from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt
>> seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but
>> lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key"
>> As you can see below in logs that it was able to set all other mail_crypt_ configurations
>> successfully from user_query. However, the password is provided via password_query and I assume
>> lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach
>> correct to begin with?
> 
> Hi!
> 
> Problem with user-password derivation is that what you've ran into. Some features, like quota or
> FTS, might need to access user's mail without being able to access the password, because it's not
> available.
> 
> If you run into these, the only thing you can do is to not use conflicting features. Using user's
> password as the encryption key is very tricky thing to get working right.
> 
>> Thanks
>> Baljeet Bhinder
> 
> Regards,
> Aki


Thanks,
Baljeet Bhinder

More information about the dovecot mailing list