Op 10 apr. 2023 om 18:40 heeft Martin Stenzel <stenzel@bw-host.de> het volgende geschreven:

Environment:

openSuSE Linux server.

dovecot version 2.3.20

openssl version 1.1.1

ruby version 3.1.2p20

decrypt.rb version https://gist.github.com/cmouse/882f2e2a60c1e49b7d343f5a6a2721de

This is the way I generated the keys:

openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem

This is the 10-mailcrypt.conf:

mail_plugins = $mail_plugins mail_crypt

plugin {
   #fts_index_fs = crypt:set_prefix=fscrypt_index:posix:set_prefix=/tmp/fts
   mail_crypt_global_private_key = </etc/dovecot/mailcrypt/ecprivkey.pem
   mail_crypt_global_public_key = </etc/dovecot/mailcrypt/ecpubkey.pem
   mail_crypt_save_version = 2
}
 

Encryption of incoming (thanks to dovecot-lda), as well as outgoing mails works perfectly.

But for me it is more a feature than a bug, since now, even as root I am not able to decrypt users mails.

This serves plausible deniability.

But how can I make sure, that NOBODY ELSE can decrypt with this specific private key?

Is there ANY OTHER way to decrypt the mails besides the script?

Have a nice Monday, and THANKS for taking your time!

Martin, Cologne

P. S. Did you notice, that as an argument (-k) the results are the same, both with private and public key?

P.P.S. If i give the "-w" argument and a file name, the file remains empty, tried even that without success.

P.P.P.S. If I call the script with ruby version 2 it bails out...