Dovecot - mail_crypt - lmtp-server - no password to decrypt the key

contact at baljeetbhinder.ca contact at baljeetbhinder.ca
Mon Jan 9 15:01:33 UTC 2023 

Thanks for the heads up about plugins Aki. I have disabled quota and sieve plugins and I don't think I have enabled fts. (if it is  enabled by default, can you point me to configuration about how to disable it? I have tried this https://doc.dovecot.org/configuration_manual/fts/ and not able to find a flag to turn off.) But the error seems to persist.

---- Dovecot Configs ----
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS 
# Hostname: mailserver-dovecot-7c9ff7b94b-h4r8m
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
debug_log_path = /dev/stdout
haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24 10.10.30.0/24 172.17.0.1/16
hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local
info_log_path = /dev/stdout
listen = *
log_path = /dev/stdout
mail_debug = yes
mail_gid = 1000
mail_home = /var/vmail/mailboxes/%d/%n
mail_location = maildir:~/:LAYOUT=fs
mail_plugins = mail_crypt
mail_privileged_group = mail
mail_uid = 1000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
  imapsieve_mailbox1_causes = COPY APPEND FLAG
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
  imapsieve_mailbox2_causes = COPY APPEND FLAG
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  mail_crypt_save_version = 0
  quota = maildir:User quota
  quota_exceeded_message = User %u has exhausted allowed storage space.
  quota_rule = Junk:ignore
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=90%% quota-warning 90 %u %d
  quota_warning2 = storage=80%% quota-warning 80 %u %d
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_before = /var/vmail/sieve/global/spam-global.sieve
  sieve_global = /var/vmail/sieve/global/
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
  sieve_pipe_bin_dir = /var/vmail/sieve/global
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = " imap lmtp sieve pop3"
service auth {
  inet_listener {
    port = 25252
  }
}
service imap-login {
  inet_listener imap {
    haproxy = yes
  }
  inet_listener imaps {
    haproxy = yes
    ssl = yes
  }
}
service lmtp {
  executable = lmtp -L
  inet_listener lmtp {
    address = 0.0.0.0
    port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
service pop3-login {
  inet_listener pop3 {
    haproxy = yes
  }
  inet_listener pop3s {
    haproxy = yes
  }
}
ssl = required
ssl_cert = </etc/dovecot/certs/tls.crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lmtp {
  info_log_path = /dev/stdout
  log_path = /dev/stdout
  mail_plugins = mail_crypt
  postmaster_address = contact at baljeetbhinder.ca
}
protocol imap {
  mail_plugins = mail_crypt quota imap_quota imap_sieve
}
---- Dovecot Configs Ends ----

---- Lmtp Log ----
lmtp(273): Info: Connect from 172.17.0.1
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Started userdb lookup
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=144,uid=0): Client connected (fd=18)
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): auth USER input: someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Finished userdb lookup (username=someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2)
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_save_version=2
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/quota_rule=*:bytes=1024000000
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone
lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled
lmtp(273): Error: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Failed to initialize user: mail_crypt_plugin: mail_crypt_global_private_key: mail_crypt_global_private_key_password unset, no password to decrypt the key
lmtp(273): Info: Disconnect from 172.17.0.1: Logged out (state=READY)
---- Lmtp Log Ends ----

How can I tell which plugin is conflicting here?


January 9, 2023 6:00 AM, "Aki Tuomi" <aki.tuomi at open-xchange.com> wrote:

>> On 08/01/2023 18:55 EET Baljeet Bhinder <contact at baljeetbhinder.ca> wrote:
>> 
>> I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin
>> lately. I tried what is describe here
>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin and I went for global-keys as
>> described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys
>> "A good solution for environments where no user folder sharing is needed is to generate per-user EC
>> key pair and encrypt that with something derived from user’s password."
>> 
>> I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version
>> from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt
>> seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but
>> lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key"
>> As you can see below in logs that it was able to set all other mail_crypt_ configurations
>> successfully from user_query. However, the password is provided via password_query and I assume
>> lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach
>> correct to begin with?
> 
> Hi!
> 
> Problem with user-password derivation is that what you've ran into. Some features, like quota or
> FTS, might need to access user's mail without being able to access the password, because it's not
> available.
> 
> If you run into these, the only thing you can do is to not use conflicting features. Using user's
> password as the encryption key is very tricky thing to get working right.
> 
>> Thanks
>> Baljeet Bhinder
> 
> Regards,
> Aki

More information about the dovecot mailing list