Dovecot mail-crypt webmail can't read encrypted messages

hi at zakaria.website hi at zakaria.website
Wed Sep 14 17:12:34 UTC 2022 

On 2022-09-14 17:34, Serveria Support wrote:
> Thanks for your help. Do you know in which folder the keys are stored? 
> I'd like to check the permissions...
> 
> On 2022-09-14 18:56, hi at zakaria.website wrote:
>> On 2022-09-14 16:04, Serveria Support wrote:
>>> Oh, I thought that section is for the global keys. I'm trying to use 
>>> per-user/per-folder keys. I used this command:
>>> 
>>> doveadm -o plugin/mail_crypt_private_password=xxxxxxxxxx mailbox 
>>> cryptokey generate -u user at mydomain.xyz -URf
>>> 
>>> 
>>> 
>>> On 2022-09-14 17:47, hi at zakaria.website wrote:
>>>> On 2022-09-14 15:11, Serveria Support wrote:
>>>>> How can I set the global private key in conf? I was following the 
>>>>> official mail-crypt tutorial. This is what I have in dovecot.conf 
>>>>> mail-crypt section:
>>>>> 
>>>>> mail_crypt_curve = secp521r1
>>>>>     mail_crypt_save_version = 2
>>>>>     mail_crypt_require_encrypted_user_key = yes
>>>>> 
>>>>> 
>>>>> 
>>>>> On 2022-09-14 17:23, hi at zakaria.website wrote:
>>>>>> On 2022-09-14 14:41, Serveria Support wrote:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> This log shows no errors. Running doveadm fetch command gives me 
>>>>>>> this:
>>>>>>> 
>>>>>>> doveadm(user at mydomain.xyz): Error: fetch(text) failed for 
>>>>>>> box=INBOX uid=15: read() failed: 
>>>>>>> read(/var/vmail/vmail1/mydomain.xyz/a/b/d/xxxxxxxx-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) 
>>>>>>> failed: Private key not available: Cannot decrypt key 
>>>>>>> fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: 
>>>>>>> Cannot decrypt key 
>>>>>>> 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: 
>>>>>>> Password not available
>>>>>>> 
>>>>>>> On 2022-09-13 14:43, hi at zakaria.website wrote:
>>>>>>>> On 2022-09-02 20:40, Serveria Support wrote:
>>>>>>>>> I tried it but it doesn't seem to make any difference at all.
>>>>>>>>> 
>>>>>>>>> Can someone please assist me with reading logs? Does this log 
>>>>>>>>> below mean Dovecot is trying to use master_user again or simply 
>>>>>>>>> reading master_user password file?
>>>>>>>>> 
>>>>>>>>> Sep  2 15:35:33 mx dovecot: auth: Debug: Read auth token secret 
>>>>>>>>> from /run/dovecot/auth-token-secret.dat
>>>>>>>>> Sep  2 15:35:33 mx dovecot: auth: Debug: passwd-file 
>>>>>>>>> /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs
>>>>>>>>> Sep  2 15:35:33 mx dovecot: auth: Debug: auth client connected 
>>>>>>>>> (pid=900284)
>>>>>>>>> Sep  2 15:35:33 mx dovecot: auth: Debug: client in: 
>>>>>>>>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= 
>>>>>>>>> (previous base64 data may contain sensitive data)
>>>>>>>>> 
>>>>>>>>> Everything ok here?
>>>>>>>>> 
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: auth client connected 
>>>>>>>>> (pid=899859)
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: client in: 
>>>>>>>>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= 
>>>>>>>>> (previous base64 data may contain sensitive data)
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): 
>>>>>>>>> Performing passdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling 
>>>>>>>>> PASSV request
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): 
>>>>>>>>> Performing passdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: 
>>>>>>>>> SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain 
>>>>>>>>> WHERE mailbox.username='user1 at mydomain.xyz' AND 
>>>>>>>>> mailbox.`enableimaptls`=1 AND mailbox.active=1 AND 
>>>>>>>>> mailbox.domain=domain.domain AND domain.backupmx=0 AND 
>>>>>>>>> domain.active=1
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished 
>>>>>>>>> passdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished 
>>>>>>>>> passdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: 
>>>>>>>>> auth(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth 
>>>>>>>>> request finished
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: client passdb out: 
>>>>>>>>> OK#0111#011user=user1 at mydomain.xyz
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: master in: 
>>>>>>>>> REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): 
>>>>>>>>> Performing userdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling 
>>>>>>>>> USER request
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): 
>>>>>>>>> Performing userdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT 
>>>>>>>>> LOWER(CONCAT(mailbox.storagebasedirectory, '/', 
>>>>>>>>> mailbox.storagenode, '/', mailbox.maildir)) AS home, 
>>>>>>>>> CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS 
>>>>>>>>> mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule 
>>>>>>>>> FROM mailbox,domain WHERE mailbox.username='user1 at mydomain.xyz' 
>>>>>>>>> AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND 
>>>>>>>>> mailbox.domain=domain.domain AND domain.backupmx=0 AND 
>>>>>>>>> domain.active=1
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished 
>>>>>>>>> userdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn 
>>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Finished
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: 
>>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished 
>>>>>>>>> userdb lookup
>>>>>>>>> Sep  2 15:25:34 mx dovecot: auth: Debug: master userdb out: 
>>>>>>>>> USER#0111998585857#011user1 at mydomain.xyz#011home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/#011mail=maildir:~/Maildir#011quota_rule=*:bytes=1073741824#011auth_mech=PLAIN#011auth_token=fac9c351492fd6073176272c79ff65b1b3e87f37
>>>>>>>>> 
>>>>>>>>> Sep  2 15:25:34 mx dovecot: 
>>>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: 
>>>>>>>>> Added userdb setting: mail=maildir:~/Maildir
>>>>>>>>> Sep  2 15:25:34 mx dovecot: 
>>>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: 
>>>>>>>>> Added userdb setting: plugin/quota_rule=*:bytes=1073741824
>>>>>>>>> Sep  2 15:25:34 mx dovecot: 
>>>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: 
>>>>>>>>> Effective uid=2000, gid=2000, 
>>>>>>>>> home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/
>>>>>>>>> 
>>>>>>>>> Any ideas?
>>>>>>>>> 
>>>>>>>>> On 2022-09-02 20:08, dovecot at ptld.com wrote:
>>>>>>>>>>> password_query = SELECT \
>>>>>>>>>>>   username as user, password, \
>>>>>>>>>>>   '%w' AS userdb_mail_crypt_private_password \
>>>>>>>>>>>   FROM mailbox WHERE username="%u";
>>>>>>>>>> 
>>>>>>>>>> Try if using ' instead of " makes a difference.
>>>>>>>>>> FROM mailbox WHERE username='%u';
>>>>>>>> 
>>>>>>>> The logs doesn't show any errors?
>>>>>> 
>>>>>> Private key not available? Isn't clear enough?
>>>>>> 
>>>>>> Did you set the global private key in dovecot config?
>>>>>> 
>>>>>> The error is saying the private key that meant to be used to 
>>>>>> decrypt
>>>>>> emails is not found, thus it must be the path you set in mail 
>>>>>> crypt
>>>>>> plugin definition is incorrect or private key file have either 
>>>>>> wrong
>>>>>> ownership or permissions.
>>>>>> 
>>>>>> Notice it has to be in .pem format as well.
>>>> 
>>>> Check RSA key section, in
>>>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#rsa-key
>> 
>> Check the Base64-encoded Keys section, I think it says something about
>> query the pem content from DB per user. Also, search for " Setting up
>> individual encrypted user keys using mail-crypt-plugin " post in the
>> mailing list, it touches on which variable name needs to be passed in
>> the sql query for the user corresponding pub and priv key.
>> 
>> Encoding in base64 the content of PEM files seems to be important
>> otherwise characters like % can cause problem in dovecot. I suggest to
>> store the keys already encoded to ease the process of handling.
>> 
>> Zakaria.

No problem. Sorry, I dont know but I recommend to check dovecot source 
code in the git repo.

More information about the dovecot mailing list