crypt_private_key_file retrived from userdb/ldap doesn't work
Hello, if I try to retrieve crypt_private_key_file from userdb/ldap doesn't work, infact if I have:
crypt_global_private_key main{ crypt_private_key_password=secret crypt_private_key_file=/path/to/file } all is ok. If I want to have:
crypt_global_private_key main{ crypt_private_key_password=secret crypt_private_key_file= } userdb ldap { driver = ldap ..... fields { mail_crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:key} } }
I have into logs:
lmtp(134879): Fatal: Raw user initialization failed: mail_crypt_plugin: nuovo: Couldn't parse private key : Unknown key format
I am sure that the key is correctly base64 encoded, infact if I pick the ldap value of %{ldap:key} and I decode base64 I have the pkey crypted key. Any suggestion?
Hello I write here again as I made some progress. Now I can read correctly from LDAP both the private key and public key, also I can read the password of the user during the imap session to allow dovecot to decrypt emails.
The problem now is that I cannot fix a configuration that works for both the encryption (receive emails by lmtp process) and decryption (read emails by imap process).
The following configuration allows dovecot to read (decrypt) emails but cannot receive any new emails (encrypt):
crypt_global_private_key main { } userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } }
but when dovecot lmtp process receives a new email I get this error:
lmtp(138655): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
The following configuration instead allows dovecot to receive new emails (encrypt) but it doesn't allow to read emails (decrypt):
#crypt_global_private_key main { #} userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } } but when dovecot imap process wants to read an email I get this error: imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Error: Mailbox INBOX: UID 81: read() failed: read(/mail/domain.com/test/cur/1742932215.M80009P138688.pop.server.com,S=3172,W=3228:2,) failed: Decryption error: no private key available (FETCH BODY[HEADER]) imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Disconnected: FETCH read() failed in=216 out=938 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
In the first scenario it appears that dovecot when receives emails by lmtp process try to read the key in the crypt_global_private_key main section but there is no defined key inside it and it says that cannot parse the private key (why? dovecot shoulds need just the public key for encrypting, not the private).
Instead, in the second scenario, when it tries to read emails it appears dovecot needs that there is a crypt_global_private_key main section defined (why? it should be enough I declare a private key in userdb section.). Also, in the second scenario I tried to replace crypt_global_private_key/main/crypt_private_key_file with just crypt_private_key_file but it doesn't work.
Maybe is it a bug? Thank you to everyone can give to me some suggestion.
On 25/03/2025 22:16 EET luis.neapolis--- via dovecot <dovecot@dovecot.org> wrote:
Hello I write here again as I made some progress. Now I can read correctly from LDAP both the private key and public key, also I can read the password of the user during the imap session to allow dovecot to decrypt emails.
The problem now is that I cannot fix a configuration that works for both the encryption (receive emails by lmtp process) and decryption (read emails by imap process).
The following configuration allows dovecot to read (decrypt) emails but cannot receive any new emails (encrypt):
crypt_global_private_key main { } userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } }
but when dovecot lmtp process receives a new email I get this error:
lmtp(138655): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
The following configuration instead allows dovecot to receive new emails (encrypt) but it doesn't allow to read emails (decrypt):
#crypt_global_private_key main { #} userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } } but when dovecot imap process wants to read an email I get this error: imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Error: Mailbox INBOX: UID 81: read() failed: read(/mail/domain.com/test/cur/1742932215.M80009P138688.pop.server.com,S=3172,W=3228:2,) failed: Decryption error: no private key available (FETCH BODY[HEADER]) imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Disconnected: FETCH read() failed in=216 out=938 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
In the first scenario it appears that dovecot when receives emails by lmtp process try to read the key in the crypt_global_private_key main section but there is no defined key inside it and it says that cannot parse the private key (why? dovecot shoulds need just the public key for encrypting, not the private).
Instead, in the second scenario, when it tries to read emails it appears dovecot needs that there is a crypt_global_private_key main section defined (why? it should be enough I declare a private key in userdb section.). Also, in the second scenario I tried to replace crypt_global_private_key/main/crypt_private_key_file with just crypt_private_key_file but it doesn't work.
Maybe is it a bug? Thank you to everyone can give to me some suggestion.
This looks like your indexes are out of sync, and dovecot cannot recreate indexes without reading the emails. And it needs a private key to decrypt them emails.
Aki
Hello, thank you for your reply but it appears that it is not an indexing problem. I removed completely /mail/domain.com/test from the filesystem, so now the user folder is no more existent and I let dovecot to recreate it. But it has the same behavior.
I tried to uncomment "crypt_global_private_key main" with crypt_global_private_key main { }
and lmtp gives the following error: pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Loading modules from directory: /usr/lib64/dovecot pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Module loaded: /usr/lib64/dovecot/lib10_mail_crypt_plugin.so pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Module loaded: /usr/lib64/dovecot/lib10_quota_plugin.so pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Module loaded: /usr/lib64/dovecot/lib90_sieve_plugin.so pop dovecot[141411]: lmtp(141475): Debug: Effective uid=0, gid=0, home=/run/dovecot/empty pop dovecot[141411]: lmtp(141475): Debug: mail_crypt_plugin: crypt_user_key_curve setting missing - generating EC keys disabled pop dovecot[141411]: lmtp(141475): Debug: User session is finished pop dovecot[141411]: lmtp(141475): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
if I comment "crypt_global_private_key main": #crypt_global_private_key main { #}
lmtp works and I can receive the email (encrypt and save): pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Mailbox opened pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Adding field flags to cache for the first time (uid=0) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Saving mail: Opened mail because: header Message-ID (Cache file is unusable) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: dict(file): dict created (driver=file) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: dict(file): Looking up 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f' pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: dict(file): Lookup finished for 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f': not found pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Adding field hdr.Message-ID to cache for the first time (uid=0) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Error: Mailbox INBOX: Saving mail: read() failed: read(/mail/domain.com/test/tmp/1742979826.M389394P141309.pop.domain.com) failed: Decryption error: no private key available (read reason=) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Purging (new file_seq=1742979826): creating cache pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Purging finished, file_seq changed 0 -> 1742979826, size=0 -> 452, max_uid=0 pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Mailbox opened pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: msgid=unspecified: saved mail to INBOX pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Local delivery finished successfully
as you can see there is an error about a lookup of a priv key but however email can be encrypted and saved. I think that it is normal that it can be saved and encrypted as doevoct shoud use just the pub key for encrypting, but why does dovecot search for a priv key?
Now, if I try to read it by imap: pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Debug: dict(file): Looking up 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f' pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Debug: dict(file): Lookup finished for 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f': not found pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Error: Mailbox INBOX: UID 1: read() failed: read(/mail/domain.com/test/cur/1742979826.M389394P141309.pop.domain.com,S=3172,W=3228:2,S) failed: Decryption error: no private key available (read reason=header stream) pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Disconnected: FETCH failed: UID 1: read() failed: read(/mail/domain.com/test/cur/1742979826.M389394P141309.pop.domain.com,S=3172,W=3228:2,S) failed: Decryption error: no private key available (read reason=header stream) in=214 out=992 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
and then I cannot read email by imap protocol.
Now, if I uncomment again: crypt_global_private_key main { } I can read succesfully the email by imap process. And this time in the log file I don't read anything about any lookup of private keys, but it works correctly. In this situation I cannot receive again any email as lmtp process gives again the error about parsing the key.
Please note that both priv and pub keys are in LDAP, then they can be succesfully read. Priv key can be opened just during an imap session as the password is read during the imap session as user authenticates himself and then he gives the password that is needed to open the priv key.
Any suggestion?
participants (2)
-
Aki Tuomi
-
luis.neapolis@gmail.com