Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Mon Aug 29 07:51:07 UTC 2022
Emm, sorry for the confusion, there are two users authenticating -
master user "postmaster" and the second user called "test". I have just
obfuscated users by replacing usernames with myuser. So no, this
shouldn't be the issue.
Any other suggestions?
On 2022-08-29 10:30, Aki Tuomi wrote:
>> On 29/08/2022 09:26 EEST Serveria Support <support at serveria.com>
>> wrote:
>>
>>
>> It's a testing install my main goal is to make it work. I will play
>> around with password encryption before going live.
>>
>> I have enabled all possible debugging yet I can's see the value you
>> mentioned in the log file. Could you please point me?
>>
>> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>> unix:auth-worker (pid=648542,uid=110): auth-worker<1>:
>> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT
>> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
>> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1
>> AND
>> mailbox.active=1 AND mailbox.domain=domain.domain AND
>> domain.backupmx=0
>> AND domain.active=1
>
> it's not set here.
>
>
>> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>> unix:auth-worker (pid=648542,uid=110): auth-worker<2>:
>> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT
>> LOWER('myuser at mydomain.xyz') AS master_user,
>> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
>> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
>> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
>> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
>> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1
>> AND
>> mailbox.active=1 AND mailbox.domain=domain.domain AND
>> domain.backupmx=0
>> AND domain.active=1
>
> it's not set here either.
>
> So. You are doing master user login, and are wondering why user's
> password is not available?
>
> Master user logins are not really compatible with using user's
> password as encryption key.
>
> Aki
>
>>
>> On 2022-08-29 07:56, Aki Tuomi wrote:
>> >> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com>
>> >> wrote:
>> >>
>> >>
>> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user
>> >> encryption.
>> >>
>> >> I have configured mail-crypt plugin as per official guide here:
>> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>> >>
>> >> After that I created a user and an encrypted key by running this
>> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox
>> >> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc)
>> >>
>> >> I can log in to webmail (and Dovecot) just fine, emails are getting
>> >> sent
>> >> and delivered. I have also checked the storage and the messages seem
>> >> to
>> >> be stored encrypted.
>> >>
>> >> However, I can't read the emails in webmail (just headers can be seen)
>> >> and in Dovecot logs I can see the following error:
>> >>
>> >> failed: Private key not available: Cannot decrypt key ### Cannot
>> >> decrypt
>> >> key ### <8632: Password not available (FETCH RFC822.HEADER)
>> >>
>> >> There seems to be an issue with mySQL query. The query I'm using
>> >> (Select
>> >> username as "user", password,"%w" as
>> >> userdb_mail_crypt_private_password
>> >> from mailbox;) seems to work just fine, when run from mysql prompt it
>> >> outputs the usernames and passwords, but the error is still there
>> >> (Cannot decrypt key ### Password not available).
>> >>
>> >> Any ideas? What am I missing
>> >
>> > Hi!
>> >
>> > First of all, it's super-unsafe to use user's password like that as
>> > private password, at least run it through SHA256. This prevents
>> > dovecot from doing expansions on it by accident.
>> >
>> > Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and
>> > make sure the correct value gets added as
>> > 'plugin/mail_crypt_private_password' when using with webmail.
>> >
>> > Aki
More information about the dovecot
mailing list