Hi everyone,

I'm trying to configure Dovecot 2.4.4 with per-user encryption keys stored in LDAP, using Global Keys mode (NOT Folder Keys).

My goal: Each user has their own public key and private key (encrypted with the user's login password) stored in LDAP attributes.

1. LMTP should use the public key to encrypt incoming emails.
2. IMAP should use the user's login password to decrypt the private key from LDAP, then decrypt the emails.

I want to use Global Keys mode (where keys are provided via userdb), NOT Folder Keys (where Dovecot stores keys in dovecot-attributes files).

What works: LMTP receives emails and encrypts them correctly using the user's public key from LDAP and the encrypted files are saved to disk.

What doesn't work: IMAP can log in and see the email list (subject, from, date), but the email body never loads.

Error: Decryption error: no private key available

May 14 18:58:45 host dovecot[295725]: imap(test@example.com)<295760><SESSIONID>: Debug: Mailbox INBOX: UID 11: Opened mail because: prefetch May 14 18:58:45 host dovecot[295725]: imap(test@example.com)<295760><SESSIONID>: Debug: dict(file): Looking up 'priv/a82ea60599ba056ad47904003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/aacbcb614fb59f81e9519186b12ac8862858d89fa3bcc1be5f25b886d3e95ee3' May 14 18:58:45 host dovecot[295725]: imap(test@example.com)<295760><SESSIONID>: Debug: dict(file): Lookup finished for 'priv/a82ea60599ba056ad47904003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/aacbcb614fb59f81e9519186b12ac8862858d89fa3bcc1be5f25b886d3e95ee3': not found May 14 18:58:45 host dovecot[295725]: imap(test@example.com)<295760><SESSIONID>: Error: Mailbox INBOX: UID 11: read() failed: read(/mail/example.com/test/cur/1778773528.M279604P294174.host.example.com,S=4027,W=4100:2,) failed: Decryption error: no private key available (FETCH BODY[1])

The confusing part: IMAP has the user's password (the user authenticated successfully). The private key in LDAP is encrypted with that same password. So IMAP should be able to decrypt the private key, then decrypt the email.

But Dovecot is not using the password it already has to unlock the private key.

My configuration:

dovecot_config_version = 2.4.4

mail_plugins { quota = yes }

Empty global key block (workaround for LMTP not to fail)

crypt_global_private_key main { }

passdb ldap { driver = ldap filter = (&(objectClass=Account) (mail=%{user})) fields { mail = %{ldap:mail} password = %{ldap:userPassword} userdb_home = %{ldap:homeDirectory} } }

userdb ldap { driver = ldap filter = (&(objectClass=Account) (mail=%{user})) fields { home = %{ldap:homeDirectory} uid = %{ldap:uidNumber|default('500')} gid = %{ldap:gidNumber|default('500')}

# Per-user keys from LDAP (Global Keys mode)
crypt_global_public_key_file = inline:%{ldap:userPublicKey}
crypt_global_private_key/main/crypt_private_key_file = inline:%{ldap:userPrivateKey}
crypt_private_key_password = %{password}

} } protocol imap { mail_plugins { imap_quota = yes mail_crypt = yes } protocol lmtp { mail_plugins { sieve = yes mail_crypt = yes } }

Note: I do NOT have mail_attribute_dict configured. I do NOT want Dovecot to store keys in local files. I want everything to come from LDAP.

What I've verified:

1. The private key is valid and decrypts correctly with the user's password using openssl pkey -passin pass:xxx.
2. doveadm user shows the keys are retrieved from LDAP.

The error persists.

The question: Since IMAP already has the user's password (from the successful login), how can I make Dovecot use that password to decrypt the private key from LDAP and then decrypt the emails?

Is there a specific setting I'm missing? Does crypt_private_key_password = %{password} need to be placed somewhere else (e.g., inside the protocol imap block) to work correctly?

Also, I see in the logs that Dovecot is still looking for dict(file) keys (Folder Keys mode). How can I completely disable Folder Keys behavior and force Dovecot to only use Global Keys from LDAP?

Thank you!

Dovecot version: 2.4.4-5 OS: AlmaLinux 9.7 Mail storage: Maildir