On 2022-09-14 17:34, Serveria Support wrote:
Thanks for your help. Do you know in which folder the keys are stored? I'd like to check the permissions...
On 2022-09-14 18:56, hi@zakaria.website wrote:
On 2022-09-14 16:04, Serveria Support wrote:
Oh, I thought that section is for the global keys. I'm trying to use per-user/per-folder keys. I used this command:
doveadm -o plugin/mail_crypt_private_password=xxxxxxxxxx mailbox cryptokey generate -u user@mydomain.xyz -URf
On 2022-09-14 17:47, hi@zakaria.website wrote:
On 2022-09-14 15:11, Serveria Support wrote:
How can I set the global private key in conf? I was following the official mail-crypt tutorial. This is what I have in dovecot.conf mail-crypt section:
mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes
On 2022-09-14 17:23, hi@zakaria.website wrote:
On 2022-09-14 14:41, Serveria Support wrote: > Hi, > > This log shows no errors. Running doveadm fetch command gives me > this: > > doveadm(user@mydomain.xyz): Error: fetch(text) failed for > box=INBOX uid=15: read() failed: > read(/var/vmail/vmail1/mydomain.xyz/a/b/d/xxxxxxxx-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) > failed: Private key not available: Cannot decrypt key > fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: > Cannot decrypt key > 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: > Password not available > > On 2022-09-13 14:43, hi@zakaria.website wrote: >> On 2022-09-02 20:40, Serveria Support wrote: >>> I tried it but it doesn't seem to make any difference at all. >>> >>> Can someone please assist me with reading logs? Does this log >>> below mean Dovecot is trying to use master_user again or simply >>> reading master_user password file? >>> >>> Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret >>> from /run/dovecot/auth-token-secret.dat >>> Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file >>> /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs >>> Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected >>> (pid=900284) >>> Sep 2 15:35:33 mx dovecot: auth: Debug: client in: >>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= >>> (previous base64 data may contain sensitive data) >>> >>> Everything ok here? >>> >>> Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected >>> (pid=899859) >>> Sep 2 15:25:34 mx dovecot: auth: Debug: client in: >>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= >>> (previous base64 data may contain sensitive data) >>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>> Performing passdb lookup >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling >>> PASSV request >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>> Performing passdb lookup >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: >>> SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain >>> WHERE mailbox.username='user1@mydomain.xyz' AND >>> mailbox.
enableimaptls
=1 AND mailbox.active=1 AND >>> mailbox.domain=domain.domain AND domain.backupmx=0 AND >>> domain.active=1 >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>> passdb lookup >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished >>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>> passdb lookup >>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>> auth(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth >>> request finished >>> Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: >>> OK#0111#011user=user1@mydomain.xyz >>> Sep 2 15:25:34 mx dovecot: auth: Debug: master in: >>> REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token >>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>> Performing userdb lookup >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling >>> USER request >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>> Performing userdb lookup >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT >>> LOWER(CONCAT(mailbox.storagebasedirectory, '/', >>> mailbox.storagenode, '/', mailbox.maildir)) AS home, >>> CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS >>> mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule >>> FROM mailbox,domain WHERE mailbox.username='user1@mydomain.xyz' >>> AND mailbox.enableimaptls
=1 AND mailbox.active=1 AND >>> mailbox.domain=domain.domain AND domain.backupmx=0 AND >>> domain.active=1 >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>> userdb lookup >>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Finished >>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>> sql(user1@mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>> userdb lookup >>> Sep 2 15:25:34 mx dovecot: auth: Debug: master userdb out: >>> USER#0111998585857#011user1@mydomain.xyz#011home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/#011mail=maildir:~/Maildir#011quota_rule=*:bytes=1073741824#011auth_mech=PLAIN#011auth_token=fac9c351492fd6073176272c79ff65b1b3e87f37 >>> >>> Sep 2 15:25:34 mx dovecot: >>> imap(user1@mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>> Added userdb setting: mail=maildir:~/Maildir >>> Sep 2 15:25:34 mx dovecot: >>> imap(user1@mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>> Added userdb setting: plugin/quota_rule=*:bytes=1073741824 >>> Sep 2 15:25:34 mx dovecot: >>> imap(user1@mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>> Effective uid=2000, gid=2000, >>> home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/ >>> >>> Any ideas? >>> >>> On 2022-09-02 20:08, dovecot@ptld.com wrote: >>>>> password_query = SELECT
>>>>> username as user, password,
>>>>> '%w' AS userdb_mail_crypt_private_password
>>>>> FROM mailbox WHERE username="%u"; >>>> >>>> Try if using ' instead of " makes a difference. >>>> FROM mailbox WHERE username='%u'; >> >> The logs doesn't show any errors?Private key not available? Isn't clear enough?
Did you set the global private key in dovecot config?
The error is saying the private key that meant to be used to decrypt emails is not found, thus it must be the path you set in mail crypt plugin definition is incorrect or private key file have either wrong ownership or permissions.
Notice it has to be in .pem format as well.
Check RSA key section, in https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#rsa-key
Check the Base64-encoded Keys section, I think it says something about query the pem content from DB per user. Also, search for " Setting up individual encrypted user keys using mail-crypt-plugin " post in the mailing list, it touches on which variable name needs to be passed in the sql query for the user corresponding pub and priv key.
Encoding in base64 the content of PEM files seems to be important otherwise characters like % can cause problem in dovecot. I suggest to store the keys already encoded to ease the process of handling.
Zakaria.
No problem. Sorry, I dont know but I recommend to check dovecot source code in the git repo.