Dovecot mail-crypt webmail can't read encrypted messages

Mon Aug 29 04:56:25 UTC 2022

> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com> wrote:
> 
>  
> I'm trying to setup Dovecot with mail-crypt plugin with per-user 
> encryption.
> 
> I have configured mail-crypt plugin as per official guide here: 
> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
> 
> After that I created a user and an encrypted key by running this 
> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox 
> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc)
> 
> I can log in to webmail (and Dovecot) just fine, emails are getting sent 
> and delivered. I have also checked the storage and the messages seem to 
> be stored encrypted.
> 
> However, I can't read the emails in webmail (just headers can be seen) 
> and in Dovecot logs I can see the following error:
> 
> failed: Private key not available: Cannot decrypt key ### Cannot decrypt 
> key ### <8632: Password not available (FETCH RFC822.HEADER)
> 
> There seems to be an issue with mySQL query. The query I'm using (Select 
> username as "user", password,"%w" as userdb_mail_crypt_private_password 
> from mailbox;) seems to work just fine, when run from mysql prompt it 
> outputs the usernames and passwords, but the error is still there 
> (Cannot decrypt key ### Password not available).
> 
> Any ideas? What am I missing

Hi!

First of all, it's super-unsafe to use user's password like that as private password, at least run it through SHA256. This prevents dovecot from doing expansions on it by accident.

Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and make sure the correct value gets added as 'plugin/mail_crypt_private_password' when using with webmail.

Aki