Hi.
I'm trying to keep most of my data encrypted when possible, only keeping the decryption key in memory (and thus vulnerable to local attacks) when I'm actually using my data. In practice, this means using pam_mount to mount my home directory from an encrypted device.
It almost looked like I could get this to work with mail as well, even when read via IMAP from a remote client: I placed my mail in the encrypted home directory, added pam_mount to /etc/pam.d/dovecot, and set session=yes in Dovecot's PAM configuration.
Except that it didn't, quite: pam_mount worked just fine and mounted the encrypted disk using the IMAP password... and then immediately unmounted it, since for some reason session=yes means that Dovecot closes the session _immediately_ after opening it.
This seems just silly. If a PAM session is to be used, then it seems obvious to me that its length should be exactly the length of the IMAP session. I can't see any reason for the current behavior, except maybe that it was a bit simpler to code and is sufficient for pam_mkhomedir (and only that).
Can this be fixed with reasonable effort?
Also, for pam_mount to work correctly, there must not be any file descriptors open in the mounted file system when the session closes, as otherwise unmounting is impossible. Will dovecot release all fds into the mail and index files when the session ends, or can it be made to do so? (UTSL is an acceptable answer.)
Thanks in advance.
Lauri Alanko la@iki.fi