Re: Dovecot mail-crypt webmail can't read encrypted messages

29 Aug 2022 · *:bytes=', mailbox.quota*


      Emm, sorry for the confusion, there are two users authenticating -
master user "postmaster" and the second user called "test". I have just
obfuscated users by replacing usernames with myuser. So no, this
shouldn't be the issue.
Any other suggestions?
On 2022-08-29 10:30, Aki Tuomi wrote:
...
...
On 29/08/2022 09:26 EEST Serveria Support support@serveria.com
wrote:
It's a testing install my main goal is to make it work. I will play
around with password encryption before going live.
I have enabled all possible debugging yet I can's see the value you
mentioned in the log file. Could you please point me?
Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
unix:auth-worker (pid=648542,uid=110): auth-worker<1>:
sql(myuser@mydomain.xyz,xx.xx.xx.xx,): query: SELECT
mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
mailbox.username='myuser@mydomain.xyz' AND mailbox.enableimaptls=1
AND
mailbox.active=1 AND mailbox.domain=domain.domain AND
domain.backupmx=0
AND domain.active=1
it's not set here.
...
Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
unix:auth-worker (pid=648542,uid=110): auth-worker<2>:
sql(myuser@mydomain.xyz,xx.xx.xx.xx,): SELECT
LOWER('myuser@mydomain.xyz') AS master_user,
LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
'/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
mailbox.username='myuser@mydomain.xyz' AND mailbox.enableimaptls=1
AND
mailbox.active=1 AND mailbox.domain=domain.domain AND
domain.backupmx=0
AND domain.active=1
it's not set here either.
So. You are doing master user login, and are wondering why user's
password is not available?
Master user logins are not really compatible with using user's
password as encryption key.
Aki
...
On 2022-08-29 07:56, Aki Tuomi wrote:
...
...
On 28/08/2022 09:20 EEST Serveria Support support@serveria.com
wrote:
I'm trying to setup Dovecot with mail-crypt plugin with per-user
encryption.
I have configured mail-crypt plugin as per official guide here:
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
After that I created a user and an encrypted key by running this
command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox
cryptokey generate -u mail@example.org -URf (replacing dummy data ofc)
I can log in to webmail (and Dovecot) just fine, emails are getting
sent
and delivered. I have also checked the storage and the messages seem
to
be stored encrypted.
However, I can't read the emails in webmail (just headers can be seen)
and in Dovecot logs I can see the following error:
failed: Private key not available: Cannot decrypt key ### Cannot
decrypt
key ### <8632: Password not available (FETCH RFC822.HEADER)
There seems to be an issue with mySQL query. The query I'm using
(Select
username as "user", password,"%w" as
userdb_mail_crypt_private_password
from mailbox;) seems to work just fine, when run from mysql prompt it
outputs the usernames and passwords, but the error is still there
(Cannot decrypt key ### Password not available).
Any ideas? What am I missing
Hi!
First of all, it's super-unsafe to use user's password like that as
private password, at least run it through SHA256. This prevents
dovecot from doing expansions on it by accident.
Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and
make sure the correct value gets added as
'plugin/mail_crypt_private_password' when using with webmail.
Aki