Technically creating and encrypting folder key does not require decrypting user's private key. All folder keys are encrypted with user's public key.

Aki

On 08/12/2019 09:42 uxqex4efpu--- via dovecot < dovecot@dovecot.org> wrote:

What it is way most best for causing bash script run (as root) of time

mailbox created (lda_mailbox_autocreate)?

I use dovecot 2.3.4.1 in Debian 10.

And I use of mail-crypt-plugin

https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/

I setup mail-crypt for requiring user encrypted EC key

(mail_crypt_require_encrypted_user_key = yes). I want for passphrase

encrypt EC key using client plaintext password. There is credential no

stored on server. But for user with use password too bad, I concatenate

user plaintext password with random salt. And then string to SHA512() hash

and use as decryption key (mail_crypt_private_password) for EC private

key.

For above I have plugin config

mail_plugins = $mail_plugins mail_crypt

plugin {

mail_crypt_curve = secp256k1

mail_crypt_require_encrypted_user_key = yes

mail_crypt_save_version = 2

}

And for returning userdb_mail_crypt_private_password, I have sql query

password_query = SELECT username, password, \

SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \

FROM virtual_users WHERE username='%u';

But how I generate key of user automatically? Note for generating key of

user, I need user password plaintext. I never save plaintext password of

user of the server.

Also user of note creates in PHP of web of the server. And for security I

do not allow PHP exec shell (php.ini disabled_functions). Definitely not

leaving PHP doveadm access!

For solving subject to generate user key encrypted, I do imap of call of

the service 'imap-postlogin' the service likes document "Post-login

scripting' write

https://doc.dovecot.org/admin_manual/post_login_scripting/

And 'imap-postlogin' execute my custom script with 'script-login' binary

https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c

Here it is config for above

service imap {

executable = imap imap-postlogin

}

service imap-postlogin {

executable = script-login /usr/local/bin/generateKeys.sh

unix_listener imap-postlogin {

}

}

And generateKeys.sh it is script simple for generating keys with sha256()

hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}

automatically put of 'userdb_mail_crypt_private_password' return of mysql

field of query when documented

https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings

Fields returned by userdb lookup with their keys uppercased

(e.g. if userdb returned home, it's stored in HOME).

Here generatekeys.sh

#!/bin/bash

if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >

/dev/null | wc -l` -lt 2 ]; then

/usr/bin/doveadm -o

"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"

mailbox cryptokey generate -u "${USER}" -U > /dev/null

fi

exec "$@"

This work! But I want more good. By why execute each login? Possible has

generateKeys.sh execute in the times only of dovecot create mailbox

(lda_mailbox_autocreate) instead?

---
Aki Tuomi