crypt_private_key_file retrived from userdb/ldap doesn't work
Hello, if I try to retrieve crypt_private_key_file from userdb/ldap doesn't work, infact if I have:
crypt_global_private_key main{ crypt_private_key_password=secret crypt_private_key_file=/path/to/file } all is ok. If I want to have:
crypt_global_private_key main{ crypt_private_key_password=secret crypt_private_key_file= } userdb ldap { driver = ldap ..... fields { mail_crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:key} } }
I have into logs:
lmtp(134879): Fatal: Raw user initialization failed: mail_crypt_plugin: nuovo: Couldn't parse private key : Unknown key format
I am sure that the key is correctly base64 encoded, infact if I pick the ldap value of %{ldap:key} and I decode base64 I have the pkey crypted key. Any suggestion?
Hello I write here again as I made some progress. Now I can read correctly from LDAP both the private key and public key, also I can read the password of the user during the imap session to allow dovecot to decrypt emails.
The problem now is that I cannot fix a configuration that works for both the encryption (receive emails by lmtp process) and decryption (read emails by imap process).
The following configuration allows dovecot to read (decrypt) emails but cannot receive any new emails (encrypt):
crypt_global_private_key main { } userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } }
but when dovecot lmtp process receives a new email I get this error:
lmtp(138655): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
The following configuration instead allows dovecot to receive new emails (encrypt) but it doesn't allow to read emails (decrypt):
#crypt_global_private_key main { #} userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } } but when dovecot imap process wants to read an email I get this error: imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Error: Mailbox INBOX: UID 81: read() failed: read(/mail/domain.com/test/cur/1742932215.M80009P138688.pop.server.com,S=3172,W=3228:2,) failed: Decryption error: no private key available (FETCH BODY[HEADER]) imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Disconnected: FETCH read() failed in=216 out=938 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
In the first scenario it appears that dovecot when receives emails by lmtp process try to read the key in the crypt_global_private_key main section but there is no defined key inside it and it says that cannot parse the private key (why? dovecot shoulds need just the public key for encrypting, not the private).
Instead, in the second scenario, when it tries to read emails it appears dovecot needs that there is a crypt_global_private_key main section defined (why? it should be enough I declare a private key in userdb section.). Also, in the second scenario I tried to replace crypt_global_private_key/main/crypt_private_key_file with just crypt_private_key_file but it doesn't work.
Maybe is it a bug? Thank you to everyone can give to me some suggestion.
On 25/03/2025 22:16 EET luis.neapolis--- via dovecot <dovecot@dovecot.org> wrote:
Hello I write here again as I made some progress. Now I can read correctly from LDAP both the private key and public key, also I can read the password of the user during the imap session to allow dovecot to decrypt emails.
The problem now is that I cannot fix a configuration that works for both the encryption (receive emails by lmtp process) and decryption (read emails by imap process).
The following configuration allows dovecot to read (decrypt) emails but cannot receive any new emails (encrypt):
crypt_global_private_key main { } userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } }
but when dovecot lmtp process receives a new email I get this error:
lmtp(138655): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
The following configuration instead allows dovecot to receive new emails (encrypt) but it doesn't allow to read emails (decrypt):
#crypt_global_private_key main { #} userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } } but when dovecot imap process wants to read an email I get this error: imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Error: Mailbox INBOX: UID 81: read() failed: read(/mail/domain.com/test/cur/1742932215.M80009P138688.pop.server.com,S=3172,W=3228:2,) failed: Decryption error: no private key available (FETCH BODY[HEADER]) imap(test@domain.com)<138699><nSKkDjAxdJWsHUKZ>: Disconnected: FETCH read() failed in=216 out=938 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
In the first scenario it appears that dovecot when receives emails by lmtp process try to read the key in the crypt_global_private_key main section but there is no defined key inside it and it says that cannot parse the private key (why? dovecot shoulds need just the public key for encrypting, not the private).
Instead, in the second scenario, when it tries to read emails it appears dovecot needs that there is a crypt_global_private_key main section defined (why? it should be enough I declare a private key in userdb section.). Also, in the second scenario I tried to replace crypt_global_private_key/main/crypt_private_key_file with just crypt_private_key_file but it doesn't work.
Maybe is it a bug? Thank you to everyone can give to me some suggestion.
This looks like your indexes are out of sync, and dovecot cannot recreate indexes without reading the emails. And it needs a private key to decrypt them emails.
Aki
Hello, thank you for your reply but it appears that it is not an indexing problem. I removed completely /mail/domain.com/test from the filesystem, so now the user folder is no more existent and I let dovecot to recreate it. But it has the same behavior.
I tried to uncomment "crypt_global_private_key main" with crypt_global_private_key main { }
and lmtp gives the following error: pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Loading modules from directory: /usr/lib64/dovecot pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Module loaded: /usr/lib64/dovecot/lib10_mail_crypt_plugin.so pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Module loaded: /usr/lib64/dovecot/lib10_quota_plugin.so pop dovecot[141411]: lmtp(raw-mail-user)<141475><>: Debug: Module loaded: /usr/lib64/dovecot/lib90_sieve_plugin.so pop dovecot[141411]: lmtp(141475): Debug: Effective uid=0, gid=0, home=/run/dovecot/empty pop dovecot[141411]: lmtp(141475): Debug: mail_crypt_plugin: crypt_user_key_curve setting missing - generating EC keys disabled pop dovecot[141411]: lmtp(141475): Debug: User session is finished pop dovecot[141411]: lmtp(141475): Fatal: Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
if I comment "crypt_global_private_key main": #crypt_global_private_key main { #}
lmtp works and I can receive the email (encrypt and save): pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Mailbox opened pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Adding field flags to cache for the first time (uid=0) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Saving mail: Opened mail because: header Message-ID (Cache file is unusable) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: dict(file): dict created (driver=file) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: dict(file): Looking up 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f' pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: dict(file): Lookup finished for 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f': not found pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Adding field hdr.Message-ID to cache for the first time (uid=0) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Error: Mailbox INBOX: Saving mail: read() failed: read(/mail/domain.com/test/tmp/1742979826.M389394P141309.pop.domain.com) failed: Decryption error: no private key available (read reason=) pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Purging (new file_seq=1742979826): creating cache pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Purging finished, file_seq changed 0 -> 1742979826, size=0 -> 452, max_uid=0 pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Mailbox INBOX: Mailbox opened pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: msgid=unspecified: saved mail to INBOX pop dovecot[141295]: lmtp(test@domain.com)<141309><Ah2dFvLC42f9JwIAOlru6Q>: Debug: Local delivery finished successfully
as you can see there is an error about a lookup of a priv key but however email can be encrypted and saved. I think that it is normal that it can be saved and encrypted as doevoct shoud use just the pub key for encrypting, but why does dovecot search for a priv key?
Now, if I try to read it by imap: pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Debug: dict(file): Looking up 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f' pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Debug: dict(file): Lookup finished for 'priv/20db4325fcc1e367c82702003a5aeee9/vendor/vendor.dovecot/pvt/crypt/privkeys/fddaf2cd14e50ae3826d4beb07723b6658da2b04a6f2167388197fbf23750d1f': not found pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Error: Mailbox INBOX: UID 1: read() failed: read(/mail/domain.com/test/cur/1742979826.M389394P141309.pop.domain.com,S=3172,W=3228:2,S) failed: Decryption error: no private key available (read reason=header stream) pop dovecot[141384]: imap(test@domain.com)<141391><qm1jNTsxvpusHUKZ>: Disconnected: FETCH failed: UID 1: read() failed: read(/mail/domain.com/test/cur/1742979826.M389394P141309.pop.domain.com,S=3172,W=3228:2,S) failed: Decryption error: no private key available (read reason=header stream) in=214 out=992 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
and then I cannot read email by imap protocol.
Now, if I uncomment again: crypt_global_private_key main { } I can read succesfully the email by imap process. And this time in the log file I don't read anything about any lookup of private keys, but it works correctly. In this situation I cannot receive again any email as lmtp process gives again the error about parsing the key.
Please note that both priv and pub keys are in LDAP, then they can be succesfully read. Priv key can be opened just during an imap session as the password is read during the imap session as user authenticates himself and then he gives the password that is needed to open the priv key.
Any suggestion?
Hello, sorry to bore you but after many days I still cannot solve the problem. I updated to 2.4.1 too but I still have the problem. I cannot understand why I have this error during LMTP session when I receive an email and it cannot write it on the disk as dovecot tries to load private key... Why? dovecot should load the public key but instead it tries to load a private key and it appears it tries to load from a disk. Infact the error:
Raw user initialization failed: mail_crypt_plugin: main: Couldn't parse private key : Unknown key format
is in "src/plugins/mail-crypt/mail-crypt-global-key.c"
at line 97 and the error should be:
*error_r = t_strdup_printf("%s: Couldn't parse private key %s: %s", set_key, file->path, error);
then dovecoit has the file->path blank.... it is really strange as I declared that the private key is on ldap... why it is searching from a path file ? infact the path file is blank...
Anyone can help? Thank you.
On 25. Mar 2025, at 15.15, luis.neapolis--- via dovecot <dovecot@dovecot.org> wrote:
crypt_global_private_key main{ crypt_private_key_password=secret crypt_private_key_file= } userdb ldap { driver = ldap ..... fields { mail_crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:key} } }
lmtp(134879): Fatal: Raw user initialization failed: mail_crypt_plugin: nuovo: Couldn't parse private key : Unknown key format
The trouble is that mail_crypt plugin loads the keys always at user initialization. That's fine for the actual user, which does the userdb lookup. However, we have an internal "raw user" which doesn't do a userdb lookup. The raw user sees from config that there is a private key configured, but the key is empty so it fails. I guess the nicest solution would be to delay initializing the keys until they're actually needed, but you can make it work already:
#crypt_global_private_key main { #} userdb ldap { driver = ldap fields { crypt_global_public_key_file=inline:%{ldap:pubkey} crypt_global_private_key=main crypt_global_private_key/main/crypt_private_key_file=inline:%{ldap:privkey} crypt_private_key_password=%{password} } }
Hello, first of all, thank you for your reply. However it still doesn't work. Infact with he suggested configuration, when user receives a new mail I have this error:
2025-05-12 16:37:17 lmtp(284205): Error: lmtp-server: conn 1.2.3.4:52582 [2]: rcpt crypto.test@example.com: Failed to initialize user: mail_crypt_plugin: main: crypt_private_key_password unset, no password to decrypt the key file
I have no more the error referred to raw user but this time I have the problem related to "user". I cannot understand why, when dovecot receives a new email it says "no password to decrypt the key file", why it tries to decrypt the key file? It has just to crypt the new arrived email using the public key that is available from LDAP userdb. Password is not available when an email is received but just when an email should be read.
Is it possible it is a bug? Is it possible nobody uses such a configuration?
Thanks.
participants (3)
-
Aki Tuomi
-
luis.neapolis@gmail.com
-
Timo Sirainen