https://www.mail-archive.com/dovecot at dovecot.org/msg77000.html

Mon Apr 10 18:03:32 UTC 2023

> Op 10 apr. 2023 om 18:40 heeft Martin Stenzel <stenzel at bw-host.de> het volgende geschreven:
> 
> 
> Hi team,
> 
> regarding:
> 
> https://www.mail-archive.com/dovecot@dovecot.org/msg77000.html
> 
> 
> 
> I have the very same problem.
> 
> 
> 
> terve:/tmp # decrypt.rb -k /etc/dovecot/mailcrypt/ecpubkey.pem -f ./1681118363....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S 
> 
> Key(s) (total: 1) 
>  - Key type  : EC 
>  - Key digest: a27b201cf7f59f... 
>  - Peer key  : 04aaca0143208904deced2732aaa...
>  - Encrypted : 4cde641bff16098b91bfaf66...
>  - Kd hash   : 9e229ec6c0... 
> terve:/tmp # decrypt.rb -k /etc/dovecot/mailcrypt/ecprivkey.pem -f ./16811....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S
>  
> 
> Key(s) (total: 1) 
>  - Key type  : EC 
>  - Key digest: a27b201cf7f59f978bb9b27947f60a9... 
>  - Peer key  : 04aaca0143208904deced2732aaaf127... 
>  - Encrypted : 4cde641bff16098b91bfaf66c9...
>  - Kd hash   : 9e229ec6c09... 
> 
> 
> terve:/tmp # decrypt.rb -i -k /etc/dovecot/mailcrypt/ecprivkey.pem -f ./1681118...terve.xy-space.de\,S\=3452\,W\=3515\:2
> \,S  
> Version       : 2 
> Flags         : AEAD integrity 
> Header length : 255 
> Cipher algo   : aes-256-gcm (2.16.840.1.101.3.4.1.46) 
> Digest algo   : sha256 (2.16.840.1.101.3.4.2.1) 
> 
> Key derivation 
>  - Rounds    : 2048
> 
> ...
> 
> 
> N. B. Before posting I arbitrarily removed numbers from the output, maybe paranoid...
> 

Why?

> 
> Environment:
> 
> openSuSE Linux server.
> 
> dovecot version 2.3.20
> 
> openssl version 1.1.1
> 
> ruby version 3.1.2p20
> 
> decrypt.rb version https://gist.github.com/cmouse/882f2e2a60c1e49b7d343f5a6a2721de
> 
> 
> 
> This is the way I generated the keys:
> 
> openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
> openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
> 
> 
> This is the 10-mailcrypt.conf:
> 
> mail_plugins = $mail_plugins mail_crypt 
> 
> plugin { 
>    #fts_index_fs = crypt:set_prefix=fscrypt_index:posix:set_prefix=/tmp/fts 
>    mail_crypt_global_private_key = </etc/dovecot/mailcrypt/ecprivkey.pem 
>    mail_crypt_global_public_key = </etc/dovecot/mailcrypt/ecpubkey.pem 
>    mail_crypt_save_version = 2 
> }
>  
> 
> Encryption of incoming (thanks to dovecot-lda), as well as outgoing mails works perfectly.
> 
> 
> 
> But for me it is more a feature than a bug, since now, even as root I am not able to decrypt users mails.
> 
> This serves plausible deniability. 
> 
> 
> 
> But how can I make sure, that NOBODY ELSE can decrypt with this specific private key?
> 
> Is there ANY OTHER way to decrypt the mails besides the script?
> 
> 
> 
> Have a nice Monday, and THANKS for taking your time!
> 
> Martin, Cologne
> 
> 
> 
> P. S. Did you notice, that as an argument (-k) the results are the same, both with private and public key?
> 
> P.P.S. If i give the "-w" argument and a file name, the file remains empty, tried even that without success.
> 
> P.P.P.S. If I call the script with ruby version 2 it bails out...
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20230410/4bdc4b46/attachment.htm>