Keys are generated when they are needed, so it does require that provisioning step currently Maybe user key could be made on login too...---Aki TuomiDovecot oy -------- Original message --------From: eaerhaerhaehae aehraerhaeha dovecotquestion@gmx.de Date: 01/09/2018 13:57 (GMT+02:00) To: dovecot@dovecot.org Subject: Do encrypted user keys self generate? Hi! Dovecot version 2.2.33.2
I added folder based encryption with encrypted user keys to my dovecot using the five config lines in the manual:
https://wiki2.dovecot.org/Plugins/MailCrypt#Folder_keys
I also adjusted the database query slightly, as suggested. (MySQL, SHA512 passwords)
I found out that I have to either:
- manually generate a key using doveadm -o plugin/mail_crypt_private_password=12345 mailbox cryptokey generate -u mail@example.org -URf
OR
- send an email to the newly generated address. It will end up in the mail queue (postqueue -p) with the error message "mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key"
10-30 minutes later, however, a key will have been automatically generated and the email will be delivered.
QUESTION 1:Does dovecot use the IMAP login my client performs to grab the password required to generate an encrypted user key? Or did it create an unencrypted key? It definitely seems to be password protected because "doveadm mailbox cryptokey password" will fail setting a new password unless I specify the actual email address password.
QUESTION 2: If I change the password in the MySQL database this won't work, because Dovecot will not have access to the old password, correct?
Thank you for your time.