Dovecot mail-crypt webmail can't read encrypted messages

Aki Tuomi aki.tuomi at
Mon Aug 29 04:56:25 UTC 2022

> On 28/08/2022 09:20 EEST Serveria Support <support at> wrote:
> I'm trying to setup Dovecot with mail-crypt plugin with per-user 
> encryption.
> I have configured mail-crypt plugin as per official guide here: 
> After that I created a user and an encrypted key by running this 
> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox 
> cryptokey generate -u mail at -URf (replacing dummy data ofc)
> I can log in to webmail (and Dovecot) just fine, emails are getting sent 
> and delivered. I have also checked the storage and the messages seem to 
> be stored encrypted.
> However, I can't read the emails in webmail (just headers can be seen) 
> and in Dovecot logs I can see the following error:
> failed: Private key not available: Cannot decrypt key ### Cannot decrypt 
> key ### <8632: Password not available (FETCH RFC822.HEADER)
> There seems to be an issue with mySQL query. The query I'm using (Select 
> username as "user", password,"%w" as userdb_mail_crypt_private_password 
> from mailbox;) seems to work just fine, when run from mysql prompt it 
> outputs the usernames and passwords, but the error is still there 
> (Cannot decrypt key ### Password not available).
> Any ideas? What am I missing


First of all, it's super-unsafe to use user's password like that as private password, at least run it through SHA256. This prevents dovecot from doing expansions on it by accident.

Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and make sure the correct value gets added as 'plugin/mail_crypt_private_password' when using with webmail.


More information about the dovecot mailing list