for now i have in the 10-auth.conf file the following:

23 May 2018 · *plaintext*

      On 23.05.2018 09:13, mail@sjemm.net wrote:
...
May 20, 2018 8:01 PM, mail@sjemm.net wrote:
...
May 20, 2018 2:47 PM, "Aki Tuomi" <aki.tuomi@dovecot.fi> wrote:
...
...
On 19 May 2018 at 16:40 mail@sjemm.net wrote:
May 18, 2018 10:01 PM, "Aki Tuomi" <aki.tuomi@dovecot.fi> wrote:
On 18 May 2018 at 21:44 mail@sjemm.net wrote:
May 18, 2018 4:43 PM, "Aki Tuomi" <aki.tuomi@dovecot.fi> wrote:
On 18 May 2018 at 17:38 mail@sjemm.net wrote:
May 18, 2018 4:05 PM, "Aki Tuomi" <aki.tuomi@dovecot.fi> wrote:
On 18 May 2018 at 16:43 mail@sjemm.net wrote:
Hi Tai74 and Aki,
I followed your conversation with interest on how to setup per user encryption in dovecot.
I have setup my dovecot with the following in a conf file:
==============
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
}
==============
This works nice, all emails are being encrypted and every user/folder has keys.
But as I understood from your conversation these keys are not protected. And I want them to be
protected by the users password used by imap.
Those passwords are stored in a mysql DB file. ( I used a guide from workaround [dot] org to set up
the DB and postfix/dovecot)
but how would i set it so, that the users password from the DB is used to encrypt the keys?
should i use mail_crypt_private_password = ?
how do i point it to the mysql db then?
im unsure about this
Do you have any hints on this?
Kind regards,
Zjemm
The passwords in your MySQL database are, hopefully, not in plaintext. If you want to secure your
user's keys using user's login password, you must have a TOOL that manages this.
You can use mail_crypt_private_password = %w in (mysql) passdb fields to provide the user's login
password as private password. You might want to run it thru some hash, so %{sha1:password} might be
a good option.
You can change the key password using 'doveadm mailbox cryptokey', this needs to be done every time
user changes his password.
Also note that if you go down this road, and the user forgets his password, you will not be able to
recover the emails without backup copy of the private key.
Aki
Hi Aki
I used the following command:
dovecot pw -s SHA256-CRYPT
the output on the chosen password looks like: {SHA256-CRYPT}$5$Rokc06a7In4SF3bO$OQpGQWqg........
This output is used to store in the password fields in the database. So no plain text passwords no
:)
You can use mail_crypt_private_password = %w in (mysql) passdb fields to provide the user's login
password as private password.
can you explain this a bit more for me?
for now i have in the 10-auth.conf file the following:
passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /etc/dovecot/dovecot-sql.conf.ext
}
and:
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}
then i have in dovecot-sql.conf.ext
driver = mysql
connect = host=x.x.x.x dbname=mailserver user=mailuser password=mailpasswordexample
default_pass_scheme = SHA256-CRYPT
password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
Where do i need to set : mail_crypt_private_password = %w ?
password as private password. You might want to run it thru some hash, so %{sha1:password} might be
a good option.
the passwords are allready hashed in the DB using: dovecot pw -s SHA256-CRYPT to genereate the has.
so this step isnt nesesary anymore am i right?
Thank you for your quick response, very helpfull
Zjemm
You misunderstood a bit. The idea is to use the *plaintext* password as the password for the
private key. Otherwise anyone could just decrypt it by looking at your database where the hashed
password is..
So:
password_query = SELECT email as user, password, '%w' AS userdb_mail_crypt_private_password FROM
virtual_users WHERE email='%u'
Aki
Hi Aki,
Thank you very much for your help, i realy appreciate that.
Ok so if i understand it correctly i'll have to use:
password_query = SELECT email as user, password, '%w' AS userdb_mail_crypt_private_password FROM
virtual_users WHERE email='%u'
in my dovecot-sql.conf.ext file
This query selects the user, the password, and %w
if i run a little query myself:
MariaDB [mailserver]> SELECT email as user, password, '%w' AS userdb_mail_crypt_private_password
FROM virtual_users;
+------------------+----------------------------------+------------------------------------+
| user | password | userdb_mail_crypt_private_password |
+------------------+----------------------------------+------------------------------------+
| john@example.org | {SHA256-CRYPT}$5$M/GWzmtjsLroRWI | %w |
+------------------+----------------------------------+------------------------------------+
%w is a dovecot variable, and stands for the plaintext password, but the password is not stored as
plaintext in the DB, %w get filled with the actual plaintext password by dovecot upon the user that
is typing in the password when authenticating.
is this correct?
yes.
so then i have the username the hashed password en the plaintext password as a result of the query.
yes
now userdb_mail_crypt_private_password = the plaintext password
do i need to reference it somewhere? or is userdb_mail_crypt_private_password autmatically used by
the dovecot mail_crypt plugin to encrypt the keys? or should it be mail_crypt_private_password?
It gets injected into the mail process as 'mail_crypt_private_password', as if it was set in plugin
{} section.
if i have this setup working i'm going to write a blog post on this topic to share this knowledge
Thanks again and have a great weekend.
Zjemm
Aki
Hi Aki,
Cool i'm testing it right now.
I have set up a new mailserver (life is great with lxc containers :) )
postfix and dovecot are working like normal
next i enable mail_crypt
i did create a file: /etc/dovecot/conf.d/10-mailcrypt.conf
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
}
and then i changed the file: /etc/dovecot/dovecot-sql.conf.ext
so the query is now the new query:
password_query = SELECT email as user, password, '%w' AS userdb_mail_crypt_private_password FROM
virtual_users WHERE email='%u';
then i restarted dovecot and postfix and send a test email to the one and only testuser that is in
there.
when i open the mailbox with the tool mutt, i can see the new email, and when openening the email
the mutt client drops the connection.
in the log i can see:
May 19 13:34:48 mailserver1.example.local dovecot[600]: imap-login: Login: user=<john@example.org>,
method=PLAIN, rip=::1, lip=::1, mpid=713, TLS, session=<E3PnIY9sNM4AAAAAAAAAAAAAAAAAAAAB>
May 19 13:34:49 mailserver1.example.local dovecot[600]: imap(john@example.org): Error: read()
failed:
read(/var/vmail/example.org/john/Maildir/cur/1526736378.M161472P641.mailserver1.example.local,S=559,
=571:2,) failed: Private key not available: Cannot decrypt key
bfc5bb25b1bf64290eea6dc14b516c6a0a25b64551b6e4f0f8677ba7274887cb: error:03070068:bignum
routines:BN_mpi2bn:encoding error (FETCH BODY[] for mailbox INBOX UID 8)
i think i missed a step, but witch one?
the userpassword hasnt been changed (that would be the next step in the testing process)
should i've use doveadm first to encrypt the key with that userpassword? i thought it would do that
on the fly, because the initial keys where only just created when enabling the mail_crypt plugin
please let me know your thougts
Zjemm
I noticed you replied directly to me, and not to the list, too... fixed that for you.
mail_crypt_private_password is used when key is created, but if you have created it before using
password, you'll need to encrypt it before turning the setting on.
Aki
Hi, Ok i'm sorry about that, thank you for fixing that. i'm a bit new to mailing lists :)
are you a dovecot devoloper? or a enthusiastic user?
anyway, i managed to get it working now with all your help :)
to start fresh i did a:
rm -rf /var/vmail/example.org
so all email is gone, and i assume all dovecot keys are gone that way.
Then i tried to set a password first:
root@mailserver1:/var/vmail# doveadm mailbox cryptokey password -u john@example.org -n summersun
result: Changed password for 0 key(s)
(summersun = the password for this user)
but then it says there are 0 keys, so then i send the test user an email and try to open the
mailbox, i'll get:
imap(john@example.org): Error: read() failed:
read(/var/vmail/example.org/john/Maildir/cur/1526827992.M149712P883.mailserver1.example.local,S=549,
=561:2,) failed: Private key not available: Cannot decrypt key
71849013a70b0c631c06112077e7c2fe39b0b2737b4933b219793841209d4e7f: error:03070068:bignum
routines:BN_mpi2bn:encoding error
but hey, now the key's are created, so i tried to set the password again:
root@mailserver1:/var/vmail# doveadm mailbox cryptokey password -u john@example.org -n summersun
result: dcrypt_key_load_private(787701bd677dd69a26842547a3926cbaa625b0b5a91751f06678c3e9708343d9)
failed: password missing
Lets start over again, i did a new:
rm -rf /var/vmail/example.org
i disabled the mail_crypt_private_password in the sql query and send an email to the test user.
now again new keys are generated.
then i did set the password via doveadm:
root@mailserver1:/var/vmail# doveadm mailbox cryptokey password -u john@example.org -n summersun
result: Changed password for 1 key(s)
i enabled the mail_crypt_private_password again in the sql query part and now it works :)
YESSS!!!
if i now change the password for the user, i cannot read the email anymore. that is what should
happen.
so now i changed the password for this user also with doveadm:

doveadm mailbox cryptokey password -u john@example.org -n qwerty -o summersun

and now i'm able to read the emails again. so it all works now as expected.
i have now only one thing remaining.
when i want to add a new user, i have to somehow:

create the new user in the mysql DB
start with dovecot not using mail_crypt_private_password (so disabled)
send an initial email to let the users mailbox be created and generate the keys
set the users password with doveadm
restart dovecot again with mail_crypt_private_password (so enabled)

but this would be disruptive to existing users, and i would have to script the whole thing as a
"add-new-user" script to make it usable i guess.
do you know of a more easy way of acomplishing this?
could i use doveadm for all steps, and get around the mail_crypt_private_password disable part?
or could i add a column in the mysql db called userdb_mail_crypt_private_password and fill that
column with %w for users that allready exist, and empty for new users.
when being empty, it might not set the mail_crypt_private_password for new users
or is this the wrong way of thinking?
let me know your thoughts on this.
And last but not least, i really want to thank you for all your help. It is a really nice
experience.
Bless you!
Zjemm
Hi Aki,
You did fix the posting on the mail archive, i can see our conversation on there, all but the last email i send to you.
Maybe you did not received the last email?
would you be willing to take a look at my last question in the email See below:
Thank you very much.
================================
i have now only one thing remaining.
when i want to add a new user, i have to somehow:

create the new user in the mysql DB
start with dovecot not using mail_crypt_private_password (so disabled)
send an initial email to let the users mailbox be created and generate the keys
set the users password with doveadm
restart dovecot again with mail_crypt_private_password (so enabled)

but this would be disruptive to existing users, and i would have to script the whole thing as a "add-new-user" script to make it usable i guess.
do you know of a more easy way of acomplishing this?
could i use doveadm for all steps, and get around the mail_crypt_private_password disable part?
or could i add a column in the mysql db called userdb_mail_crypt_private_password and fill that column with %w for users that allready exist, and empty for new users.
when being empty, it might not set the mail_crypt_private_password for new users
or is this the wrong way of thinking?
let me know your thoughts on this.
And last but not least, i really want to thank you for all your help. It is a really nice experience.
Bless you!
Zjemm
If you have mail_crypt_private_password set *when* keys are generated,
dovecot should use that password to encrypt the user key.
Aki

Re: Best mail encryption solution for per-user

Aki Tuomi

for now i have in the 10-auth.conf file the following:

userdb { driver = static args = uid=vmail gid=vmail home=/var/vmail/%d/%n }

then i have in dovecot-sql.conf.ext

driver = mysql connect = host=x.x.x.x dbname=mailserver user=mailuser password=mailpasswordexample default_pass_scheme = SHA256-CRYPT password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';

i did create a file: /etc/dovecot/conf.d/10-mailcrypt.conf

plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 }

root@mailserver1:/var/vmail# doveadm mailbox cryptokey password -u john@example.org -n summersun result: dcrypt_key_load_private(787701bd677dd69a26842547a3926cbaa625b0b5a91751f06678c3e9708343d9) failed: password missing

tags

participants (1)