It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient.

To avoid this, you should probably have

protocol imap {

    passdb {

      driver = static

      args = userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

}

and initialize the keypair using doveadm and set the password to this value there.

This requires some user management tools though so that the password is changed with doveadm when user changes  their password.

Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for details.

Key management is pretty much the most difficult thing in mail crypt plugin =)

Aki

On 4.9.2019 9.40, info--- via dovecot wrote:

Do I have to replace the "password" part with the actual password or can I just copy it like that?

Will dovecot create the keypair automatically or do I have to use doveadm?

4. Sep. 2019, 08:33 von aki.tuomi@open-xchange.com:

   On 4.9.2019 9.21, **** **** via dovecot wrote:

...

Hello there,

is there a way to make the mailcrypt plugin use the user's
password or at least store it in a hashed value?

I'm using a passwd file for authentication.

I feel uncomfortable saving the private password in plaintext in
that file.

Regards

You can try in passdb return

userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

Aki

PKCS5 is a password based key derivation function. The linked documentation has information what you can use here.

Aki

On 4.9.2019 10.06, info@unkn0wn3d.com wrote:

Is any of the password schemes supported or is there a reason you chose pkcs5?

4. Sep. 2019, 08:45 von aki.tuomi@open-xchange.com:

   It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient.

   To avoid this, you should probably have

   protocol imap {

       passdb {

         driver = static

         args = userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

   }

   and initialize the keypair using doveadm and set the password to this value there.

   This requires some user management tools though so that the password is changed with doveadm when user changes  their password.

   Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for details.

   Key management is pretty much the most difficult thing in mail crypt plugin =)

   Aki

   On 4.9.2019 9.40, info--- via dovecot wrote:

...

Do I have to replace the "password" part with the actual password
or can I just copy it like that?

Will dovecot create the keypair automatically or do I have to use
doveadm?


4. Sep. 2019, 08:33 von aki.tuomi@open-xchange.com
<mailto:aki.tuomi@open-xchange.com>:


    On 4.9.2019 9.21, **** **** via dovecot wrote:

...

    Hello there,

    is there a way to make the mailcrypt plugin use the user's
    password or at least store it in a hashed value?

    I'm using a passwd file for authentication.

    I feel uncomfortable saving the private password in
    plaintext in that file.

    Regards

    You can try in passdb return

    userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}

    Aki