This is the error I get in the dovecot logs when a user tries to access a shared mailbox encrypted with another user's folder key:
Jul 11 18:45:27 prokyon dovecot: imap(user1@mydomain.net)<5015><bTtn0zgABpP9EChC8NEBAa8xnEHdawfA>: Error: Mailbox Shared/user2@mydomain.net/INBOX: UID=2306: read() failed: read(/home/vmail/mydomain.net/user2/cur/1689031994.M621413P6856.prokyon,S=774,W=790:2,S) failed: Decryption error: no private key available (read reason=) Jul 11 18:45:27 prokyon dovecot: imap(user1@mydomain.net)<5015><bTtn0zgABpP9EChC8NEBAa8xnEHdawfA>: FETCH failed: Internal error occurred. Refer to server log for more information. [2023-07-11 18:45:27] in=526 out=1604 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
ACLs allowing access are set.
Robert
Am Dienstag, dem 11.07.2023 um 18:10 +0200 schrieb Robert Senger:
Hi all,
I am trying to setup mailbox sharing (not public mailboxes) together with mail-crypt plugin and encrypted folder keys.
According to the source code of the mail-crypt plugin (there's code trying to retrieve private keys for shared mailboxes), and its documentation, this should be possible:
If you are using global keys, mails can be shared within the key scope. The global key can be provided with several different scopes:
Global scope: key is configured in dovecot.conf file
Per-user(group) scope: key is configured in userdb file
With folder keys, key sharing can be done to single user, or multiple users. When key is shared to single user, and the user has public key available, the folder key is encrypted to recipient’s public key.
If you have mail_crypt_acl_require_secure_key_sharing enabled, you can’t share the key to groups or someone with no public key.
The documentation mentions key sharing, but I have no idea how this could be implemented, and did not find anything else than this mail- crypt documentation in the whole web...
I assume that I need to export the user key of the users's folder that should be shared, and import it into the receiving users keys, encrypted with the receiving user's key.
Is that right? Any hints how to do that?
Regards,
Robert
-- Robert Senger
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- Robert Senger