Not sure if that helps in finding conflicting plugin, but here is the success log that saves an unencrypted mail (after disabling mail_crypt).
---- Lmtp Log ---- lmtp(314): Info: Connect from 172.17.0.1 lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone@example.com): Started userdb lookup lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=144,uid=0): Client connected (fd=18) lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone@example.com): auth USER input: someone@example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2 lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone@example.com): Finished userdb lookup (username=someone@example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2) lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Added userdb setting: plugin/mail_crypt_save_version=2 lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Added userdb setting: plugin/quota_rule=*:bytes=1024000000 lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/:LAYOUT=fs lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: fs: root=/var/vmail/mailboxes/example.com/someone, index=, indexpvt=, control=, inbox=/var/vmail/mailboxes/example.com/someone, alt= lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: Mailbox INBOX: Mailbox opened lmtp(someone@example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Info: msgid=<4e6b1652-8a1f-892f-af09-b9447dbbfcfd@example.com>: saved mail to INBOX lmtp(314): Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone@example.com: User session is finished lmtp(314): Info: Disconnect from 172.17.0.1: Logged out (state=READY) ---- Lmtp Log Ends ----
January 9, 2023 6:00 AM, "Aki Tuomi" <aki.tuomi@open-xchange.com> wrote:
On 08/01/2023 18:55 EET Baljeet Bhinder <contact@baljeetbhinder.ca> wrote:
I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin lately. I tried what is describe here https://doc.dovecot.org/configuration_manual/mail_crypt_plugin and I went for global-keys as described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys "A good solution for environments where no user folder sharing is needed is to generate per-user EC key pair and encrypt that with something derived from user’s password."
I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key" As you can see below in logs that it was able to set all other mail_crypt_ configurations successfully from user_query. However, the password is provided via password_query and I assume lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach correct to begin with?
Hi!
Problem with user-password derivation is that what you've ran into. Some features, like quota or FTS, might need to access user's mail without being able to access the password, because it's not available.
If you run into these, the only thing you can do is to not use conflicting features. Using user's password as the encryption key is very tricky thing to get working right.
Thanks Baljeet Bhinder
Regards, Aki
Thanks, Baljeet Bhinder