On 25/03/2025 22:16 EET luis.neapolis--- via dovecot <dovecot@dovecot.org> wrote:
Hello I write here again as I made some progress. Now I can read correctly from LDAP both the private key and public key, also I can read the password of the user during the imap session to allow dovecot to decrypt emails.
The problem now is that I cannot fix a configuration that works for both the encryption (receive emails by lmtp process) and decryption (read emails by imap process).
The following configuration allows dovecot to read (decrypt) emails but cannot receive any new emails (encrypt):
crypt_global_private_key main { } userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } }
but when dovecot lmtp process receives a new email I get this error:
lmtp(138655): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
The following configuration instead allows dovecot to receive new emails (encrypt) but it doesn't allow to read emails (decrypt):
#crypt_global_private_key main { #} userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } } but when dovecot imap process wants to read an email I get this error: imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Error: Mailbox INBOX: UID 81: read() failed: read(/mail/domain.com/test/cur/1742932215.M80009P138688.pop.server.com,S=3172,W=3228:2,) failed: Decryption error: no private key available (FETCH BODY[HEADER]) imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Disconnected: FETCH read() failed in=216 out=938 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
In the first scenario it appears that dovecot when receives emails by lmtp process try to read the key in the crypt_global_private_key main section but there is no defined key inside it and it says that cannot parse the private key (why? dovecot shoulds need just the public key for encrypting, not the private).
Instead, in the second scenario, when it tries to read emails it appears dovecot needs that there is a crypt_global_private_key main section defined (why? it should be enough I declare a private key in userdb section.). Also, in the second scenario I tried to replace crypt_global_private_key/main/crypt_private_key_file with just crypt_private_key_file but it doesn't work.
Maybe is it a bug? Thank you to everyone can give to me some suggestion.
This looks like your indexes are out of sync, and dovecot cannot recreate indexes without reading the emails. And it needs a private key to decrypt them emails.
Aki