I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin lately. I tried what is describe here https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ and I went for global-keys as described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys /"A good solution for environments where no user folder sharing is needed is to generate per-user EC key pair and encrypt that with something derived from user’s password."/
I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key" As you can see below in logs that it was able to set all other mail_crypt_ configurations successfully from user_query. However, the password is provided via password_query and I assume lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach correct to begin with?
-- Dovecot Configurations -- # using doveconf -n # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS # Hostname: mailserver-dovecot-7c9ff7b94b-8ldrr auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = yes debug_log_path = /dev/stdout haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24 10.10.30.0/24 172.17.0.1/16 hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local info_log_path = /dev/stdout listen = * log_path = /dev/stdout mail_debug = yes mail_gid = 1000 mail_home = /var/vmail/mailboxes/%d/%n mail_location = maildir:~/:LAYOUT=fs mail_plugins = quota mail_crypt mail_privileged_group = mail mail_uid = 1000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve imapsieve_mailbox1_causes = COPY APPEND FLAG imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve imapsieve_mailbox2_causes = COPY APPEND FLAG imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_crypt_save_version = 0 quota = maildir:User quota quota_exceeded_message = User %u has exhausted allowed storage space. quota_rule = Junk:ignore quota_rule2 = Trash:storage=+100M quota_warning = storage=90%% quota-warning 90 %u %d quota_warning2 = storage=80%% quota-warning 80 %u %d sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /var/vmail/sieve/global/spam-global.sieve sieve_global = /var/vmail/sieve/global/ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug sieve_pipe_bin_dir = /var/vmail/sieve/global sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = " imap lmtp sieve pop3" service auth { inet_listener { port = 25252 } } service imap-login { inet_listener imap { haproxy = yes } inet_listener imaps { haproxy = yes ssl = yes } } service lmtp { executable = lmtp -L inet_listener lmtp { address = 0.0.0.0 port = 24 } } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { inet_listener pop3 { haproxy = yes } inet_listener pop3s { haproxy = yes } } ssl = required ssl_cert =
-- Password Query --
password_query =
SELECT username, domain, password,
'%{sha256:password}' AS userdb_mail_crypt_global_private_key_password
FROM mailbox
WHERE username='%u';
-- Password Query Ends--
-- User Query --
user_query = SELECT CONCAT('*:bytes=', 1024) as quota_rule,
private_key AS mail_crypt_global_private_key,
public_key AS mail_crypt_global_public_key,
mail_crypt_save_version AS mail_crypt_save_version
FROM mailbox
WHERE username='%u';
-- User Query Ends --
-- Debug Logs --
--- Load Inbox ---
imap-login: Info: Login: user=someone@example.com, method=PLAIN,
rip=192.168.49.1, lip=192.168.49.2, mpid=241, TLS,
session=<oaoI9sLxVKXAqDEB>
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Loading modules
from directory: /usr/lib/dovecot/modules
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_quota_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_global_private_key_password=<hidden>
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_save_version=2
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/quota_rule=*:bytes=1024000000
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Effective
uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug:
mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys
disabled
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota root:
name=User quota backend=maildir args=
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota rule:
root=User quota mailbox=* bytes=1024000000 messages=0
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota rule:
root=User quota mailbox=Trash bytes=+104857600 messages=0
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota warning:
bytes=921600000 (90%) messages=0 reverse=no command=quota-warning 90
someone@example.com example.com
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota warning:
bytes=819200000 (80%) messages=0 reverse=no command=quota-warning 80
someone@example.com example.com
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota grace:
root=User quota bytes=102400000 (10%)
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug:
open(/proc/self/io) failed: Permission denied
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Namespace
inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=maildir:~/:LAYOUT=fs
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: fs:
root=/var/vmail/mailboxes/example.com/someone, index=, indexpvt=,
control=, inbox=/var/vmail/mailboxes/example.com/someone, alt=
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: quota:
quota_over_flag check: quota_over_script unset - skipping
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Mailbox INBOX:
Mailbox opened
--- Load Inbox Ends ---
--- Lmtp ---
lmtp(248): Info: Connect from 172.17.0.1
lmtp(someone@example.com)<248>
Thanks Baljeet Bhinder