Dovecot - mail_crypt - lmtp-server - no password to decrypt the key

8 Jan 2023


      I have been using postfix+dovecot successfully for a while now until I
tried mail crypt plugin lately. I tried what is describe here
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ and I
went for global-keys as described here:
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys
/"A good solution for environments where no user folder sharing is
needed is to generate per-user EC key pair and encrypt that with
something derived from user’s password."/
I am setting mail_crypt_global_private_key,
mail_crypt_global_public_key, mail_crypt_save_version from user_query
and userdb_mail_crypt_global_private_key_password from password_query.
mail_crypt seems to work fine in imap (I saved a message as draft and it
is stored encrypted on the disk), but lmtp complains about
"mail_crypt_global_private_key_password unset, no password to decrypt
the key" As you can see below in logs that it was able to set all other
mail_crypt_ configurations successfully from user_query. However, the
password is provided via password_query and I assume lmtp does not read
password_query. How else can I provide a password in lmtp? Is my
approach correct to begin with?
-- Dovecot Configurations --
# using doveconf -n
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.19 (4eae2f79)
# OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS
# Hostname: mailserver-dovecot-7c9ff7b94b-8ldrr
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = yes
debug_log_path = /dev/stdout
haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24 10.10.30.0/24
172.17.0.1/16
hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local
info_log_path = /dev/stdout
listen = *
log_path = /dev/stdout
mail_debug = yes
mail_gid = 1000
mail_home = /var/vmail/mailboxes/%d/%n
mail_location = maildir:~/:LAYOUT=fs
mail_plugins = quota mail_crypt
mail_privileged_group = mail
mail_uid = 1000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
}
mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
plugin {
imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
imapsieve_mailbox1_causes = COPY APPEND FLAG
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
imapsieve_mailbox2_causes = COPY APPEND FLAG
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
mail_crypt_save_version = 0
quota = maildir:User quota
quota_exceeded_message = User %u has exhausted allowed storage space.
quota_rule = Junk:ignore
quota_rule2 = Trash:storage=+100M
quota_warning = storage=90%% quota-warning 90 %u %d
quota_warning2 = storage=80%% quota-warning 80 %u %d
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve_global = /var/vmail/sieve/global/
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug
sieve_pipe_bin_dir = /var/vmail/sieve/global
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = " imap lmtp sieve pop3"
service auth {
inet_listener {
port = 25252
}
}
service imap-login {
inet_listener imap {
haproxy = yes
}
inet_listener imaps {
haproxy = yes
ssl = yes
}
}
service lmtp {
executable = lmtp -L
inet_listener lmtp {
address = 0.0.0.0
port = 24
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service pop3-login {
inet_listener pop3 {
haproxy = yes
}
inet_listener pop3s {
haproxy = yes
}
}
ssl = required
ssl_cert = </etc/dovecot/certs/tls.crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
info_log_path = /dev/stdout
log_path = /dev/stdout
mail_plugins = quota mail_crypt sieve
postmaster_address = <hidden>
}
protocol imap {
mail_plugins = quota mail_crypt quota imap_quota imap_sieve
}
-- Dovecot Configurations Ends --
-- Password Query --
password_query = 

SELECT username, domain, password, 

'%{sha256:password}' AS userdb_mail_crypt_global_private_key_password 

FROM mailbox 

WHERE username='%u';
-- Password Query Ends--
-- User Query --
user_query = SELECT CONCAT('*:bytes=', 1024) as quota_rule, 

private_key AS mail_crypt_global_private_key, 

public_key AS mail_crypt_global_public_key, 

mail_crypt_save_version AS mail_crypt_save_version 

FROM mailbox 

WHERE username='%u';
-- User Query Ends --
-- Debug Logs --
--- Load Inbox ---
imap-login: Info: Login: user=<someone@example.com>, method=PLAIN,
rip=192.168.49.1, lip=192.168.49.2, mpid=241, TLS,
session=<oaoI9sLxVKXAqDEB>
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Loading modules
from directory: /usr/lib/dovecot/modules
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_quota_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded:
/usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_global_private_key_password=<hidden>
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/mail_crypt_save_version=2
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb
setting: plugin/quota_rule=*:bytes=1024000000
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Effective
uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug:
mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys
disabled
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota root:
name=User quota backend=maildir args=
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota rule:
root=User quota mailbox=* bytes=1024000000 messages=0
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota rule:
root=User quota mailbox=Trash bytes=+104857600 messages=0
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota warning:
bytes=921600000 (90%) messages=0 reverse=no command=quota-warning 90
someone@example.com example.com
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota warning:
bytes=819200000 (80%) messages=0 reverse=no command=quota-warning 80
someone@example.com example.com
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota grace:
root=User quota bytes=102400000 (10%)
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug:
open(/proc/self/io) failed: Permission denied
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Namespace
inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=maildir:~/:LAYOUT=fs
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: fs:
root=/var/vmail/mailboxes/example.com/someone, index=, indexpvt=,
control=, inbox=/var/vmail/mailboxes/example.com/someone, alt=
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: quota:
quota_over_flag check: quota_over_script unset - skipping
imap(someone@example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Mailbox INBOX:
Mailbox opened
--- Load Inbox Ends ---
--- Lmtp ---
lmtp(248): Info: Connect from 172.17.0.1
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
auth-master: userdb lookup(someone@example.com): Started userdb lookup
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=143,uid=0):
Client connected (fd=18)
imap(someone@example.com)<247><WlggG8PxEOvAqDEB>: Debug: Mailbox Sent:
Purging (new file_seq=1673195172): creating cache
imap(someone@example.com)<247><WlggG8PxEOvAqDEB>: Debug: Mailbox Sent:
Purging finished, file_seq changed 0 -> 1673195172, size=0 -> 388, max_uid=0
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
auth-master: userdb lookup(someone@example.com): auth USER input:
someone@example.com quota_rule=*:bytes=1024000000
mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
mail_crypt_save_version=2
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
auth-master: userdb lookup(someone@example.com): Finished userdb lookup
(username=someone@example.com quota_rule=*:bytes=1024000000
mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
mail_crypt_save_version=2)
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Added
userdb setting:
plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
imap(someone@example.com)<247><WlggG8PxEOvAqDEB>: Debug: duplicate db:
Initialize
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Added
userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
imap(someone@example.com)<247><WlggG8PxEOvAqDEB>: Debug: sieve:
Pigeonhole version 0.5.19 (4eae2f79) initializing
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Added
userdb setting: plugin/mail_crypt_save_version=2
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Added
userdb setting: plugin/quota_rule=*:bytes=1024000000
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com:
Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com:
mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys
disabled
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Quota
root: name=User quota backend=maildir args=
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Quota
rule: root=User quota mailbox=* bytes=1024000000 messages=0
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Quota
rule: root=User quota mailbox=Trash bytes=+104857600 messages=0
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Quota
warning: bytes=921600000 (90%) messages=0 reverse=no
command=quota-warning 90 someone@example.com example.com
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Quota
warning: bytes=819200000 (80%) messages=0 reverse=no
command=quota-warning 80 someone@example.com example.com
lmtp(someone@example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug:
lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone@example.com: Quota
grace: root=User quota bytes=102400000 (10%)
lmtp(248): Error: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
someone@example.com: Failed to initialize user: mail_crypt_plugin:
mail_crypt_global_private_key: mail_crypt_global_private_key_password
unset, no password to decrypt the key
lmtp(248): Info: Disconnect from 172.17.0.1: Logged out (state=READY)
--- Lmtp Ends ---
-- Debug Logs Ends --
Thanks
Baljeet Bhinder