It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient.

To avoid this, you should probably have

protocol imap {

    passdb {

      driver = static

      args = userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

}

and initialize the keypair using doveadm and set the password to this value there.

This requires some user management tools though so that the password is changed with doveadm when user changes  their password.

Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for details.

Key management is pretty much the most difficult thing in mail crypt plugin =)

Aki

Do I have to replace the "password" part with the actual password or can I just copy it like that?

Will dovecot create the keypair automatically or do I have to use doveadm?

4. Sep. 2019, 08:33 von aki.tuomi@open-xchange.com:

On 4.9.2019 9.21, **** **** via dovecot wrote:

Hello there,

is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value?

I'm using a passwd file for authentication.

I feel uncomfortable saving the private password in plaintext in that file.

Regards

You can try in passdb return

userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

Aki