Emm, sorry for the confusion, there are two users authenticating - master user "postmaster" and the second user called "test". I have just obfuscated users by replacing usernames with myuser. So no, this shouldn't be the issue.
Any other suggestions?
On 2022-08-29 10:30, Aki Tuomi wrote:
On 29/08/2022 09:26 EEST Serveria Support <support@serveria.com> wrote:
It's a testing install my main goal is to make it work. I will play around with password encryption before going live.
I have enabled all possible debugging yet I can's see the value you mentioned in the log file. Could you please point me?
Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn unix:auth-worker (pid=648542,uid=110): auth-worker<1>: sql(myuser@mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='myuser@mydomain.xyz' AND mailbox.
enableimaptls
=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1it's not set here.
Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn unix:auth-worker (pid=648542,uid=110): auth-worker<2>: sql(myuser@mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT LOWER('myuser@mydomain.xyz') AS master_user, LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE mailbox.username='myuser@mydomain.xyz' AND mailbox.
enableimaptls
=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1it's not set here either.
So. You are doing master user login, and are wondering why user's password is not available?
Master user logins are not really compatible with using user's password as encryption key.
Aki
On 2022-08-29 07:56, Aki Tuomi wrote:
On 28/08/2022 09:20 EEST Serveria Support <support@serveria.com> wrote:
I'm trying to setup Dovecot with mail-crypt plugin with per-user encryption.
I have configured mail-crypt plugin as per official guide here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
After that I created a user and an encrypted key by running this command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox cryptokey generate -u mail@example.org -URf (replacing dummy data ofc)
I can log in to webmail (and Dovecot) just fine, emails are getting sent and delivered. I have also checked the storage and the messages seem to be stored encrypted.
However, I can't read the emails in webmail (just headers can be seen) and in Dovecot logs I can see the following error:
failed: Private key not available: Cannot decrypt key ### Cannot decrypt key ### <8632: Password not available (FETCH RFC822.HEADER)
There seems to be an issue with mySQL query. The query I'm using (Select username as "user", password,"%w" as userdb_mail_crypt_private_password from mailbox;) seems to work just fine, when run from mysql prompt it outputs the usernames and passwords, but the error is still there (Cannot decrypt key ### Password not available).
Any ideas? What am I missing
Hi!
First of all, it's super-unsafe to use user's password like that as private password, at least run it through SHA256. This prevents dovecot from doing expansions on it by accident.
Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and make sure the correct value gets added as 'plugin/mail_crypt_private_password' when using with webmail.
Aki