On 05/05/2023 14:57 EEST efeizbudak@disroot.org wrote:
On 2023-05-05 14:29, efeizbudak--- via dovecot wrote:
On 2023-05-05 09:09, Aki Tuomi via dovecot wrote:
On 05/05/2023 05:49 EEST efeizbudak--- via dovecot <dovecot@dovecot.org> wrote:
try
doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox cryptokey generate -U -u dmarc
maybe it works?
Aki This gives the same error as the above that starts with
doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key
Ok, since this is getting too annoying I tested out that
doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey generate -u dmarc -U
at least works for me with that setting.
I've made an issue of this, because it's not supposed to work like this. Although it can end up as documentation task.
Aki That worked! Thank you!! Sorry, I've missed one important part. After running this command and creating the keys, the emails are now received fine on the account but how can I actually read them? I've tried to log into the account using something like
mutt -f imap://dmarc@domain.com/Inbox
but the login fails I guess because the user has keys but no password to login. How can I decrypt the mail on this account using the generated keys? I've also tried
doveadm fetch -u dmarc "text" MAILBOX INBOX UNSEEN
which gives me an error about password not being available.
Well yes. There have been so many threads on this on the mailing list so I'll just summarize it here:
If you are going to use per-user-passwords, you need to hash them. In config, you need to export this in passdb. Otherwise it will never end up in plugin environment. Hash them to avoid certain characters making a mess and also to make it more secure.
You **must** either make your users to log in to to Dovecot before receiving email, **or** include cryptokey management in your provisioning workflow. Remember to hash the password when providing it over -o plugin/mail_crypt_private_password.
Dovecot has no facility to ask the password over IMAP when you try to read the mail.
Doing per-user-password encryption is difficult to get right.
Aki