On 2023-05-04 21:16, Aki Tuomi wrote:

...

On 04/05/2023 21:09 EEST Aki Tuomi via dovecot dovecot@dovecot.org wrote:

...

On 04/05/2023 21:08 EEST efeizbudak@disroot.org wrote:

On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:

...

...

On 04/05/2023 20:11 EEST efeizbudak--- via dovecot dovecot@dovecot.org wrote:

Hi all,

So recently google has been trying to send email to dmarc@domain.com on my server but I'm using encrypted storage and since the dmarc user has no password the email is being rejected with the error:

May  4 16:51:50 domain dovecot: lda(dmarc)<3326>: Error: sieve: msgid=10341808348719730099@google.com: failed to store into mailbox 'INBOX': generate_keypair(INBOX) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key

How can I fix this, or at least read what the mail says? Would it be safe to just give dmarc user a strong password?

You can run

doveadm mailbox cryptokey generate -U dmarc -N

so the user will have a keypair generated. Then it should work.

Aki

I'm getting

generate: invalid option -- 'N'

should I just run it without -N ?

Thank you!

Please keep responses on the list.

Try -n password? I have a faint recall of a buggy version like this.

Aki

...

Sorry for replying twice, I'm getting doveadm(root): Error: Couldn't drop privileges: User is missing UID (see mail_uid setting) when I try to run it without the -N op

Sorry, my bad.

doveadm mailbox cryptokey generate -U -u dmarc -n password

Aki This too gives me

generate: invalid option -- 'n'

On 2023-05-04 21:25, Aki Tuomi wrote:

...

On 04/05/2023 21:20 EEST efeizbudak@disroot.org wrote:

On 2023-05-04 21:16, Aki Tuomi wrote:

...

...

On 04/05/2023 21:09 EEST Aki Tuomi via dovecot dovecot@dovecot.org wrote:

...

On 04/05/2023 21:08 EEST efeizbudak@disroot.org wrote:

On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:

...

> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot > dovecot@dovecot.org wrote: > > > Hi all, > > So recently google has been trying to send email to dmarc@domain.com > on > my server but I'm using encrypted storage and since the dmarc user has > no password the email is being rejected with the error: > > May  4 16:51:50 domain dovecot: > lda(dmarc)<3326>: Error: sieve: > msgid=10341808348719730099@google.com: failed to store into mailbox > 'INBOX': generate_keypair(INBOX) failed: > mail_crypt_require_encrypted_user_key set, cannot generate user > keypair > without password or key > > How can I fix this, or at least read what the mail says? Would it be > safe to just give dmarc user a strong password?

You can run

doveadm mailbox cryptokey generate -U dmarc -N

so the user will have a keypair generated. Then it should work.

Aki

I'm getting

generate: invalid option -- 'N'

should I just run it without -N ?

Thank you!

Please keep responses on the list.

Try -n password? I have a faint recall of a buggy version like this.

Aki

...

Sorry for replying twice, I'm getting doveadm(root): Error: Couldn't drop privileges: User is missing UID (see mail_uid setting) when I try to run it without the -N op

Sorry, my bad.

doveadm mailbox cryptokey generate -U -u dmarc -n password

Aki This too gives me

generate: invalid option -- 'n'

So it seems. Have to investigate this.

In the mean time, can you try just

doveadm mailbox cryptokey generate -U -u dmarc

If you want, you can do

doveadm mailbox cryptokey password -u user -U -N

which hopefully should work.

Aki First one gives,

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key doveadm(dmarc): Warning: mailbox cryptokey generate: Nothing was matched. Use -U or specify mask? doveadm(dmarc): Panic: file mail-user.c: line 229 (mail_user_deinit): assertion failed: ((*user)->refcount == 1) doveadm(dmarc): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7fe3f93e04e2] -> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7fe3f93e05fe] -> /usr/lib/dovecot/libdovecot.so.0(+0xfc49b) [0x7fe3f93ec49b] -> /usr/lib/dovecot/libdovecot.so.0(+0xfc4d1) [0x7fe3f93ec4d1] -> /usr/lib/dovecot/libdovecot.so.0(+0x53aee) [0x7fe3f9343aee] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x407c9) [0x7fe3f94f47c9] -> doveadm(+0x31bcd) [0x55c2ab3d7bcd] -> doveadm(+0x32632) [0x55c2ab3d8632] -> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x22d) [0x55c2ab3d94ad] -> doveadm(doveadm_cmd_run_ver2+0x4c8) [0x55c2ab3e9b88] -> doveadm(doveadm_cmd_try_run_ver2+0x3a) [0x55c2ab3e9bda] -> doveadm(main+0x1d0) [0x55c2ab3c8450] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xea) [0x7fe3f8f9fd0a] -> doveadm(_start+0x2a) [0x55c2ab3c892a] Aborted

And the second one gives,

password: invalid option -- 'U'

Thank you for looking into it!

On 2023-05-04 21:31, Aki Tuomi via dovecot wrote:

...

On 04/05/2023 21:28 EEST efeizbudak@disroot.org wrote:

On 2023-05-04 21:25, Aki Tuomi wrote:

...

...

On 04/05/2023 21:20 EEST efeizbudak@disroot.org wrote:

On 2023-05-04 21:16, Aki Tuomi wrote:

...

...

On 04/05/2023 21:09 EEST Aki Tuomi via dovecot dovecot@dovecot.org wrote:

> On 04/05/2023 21:08 EEST efeizbudak@disroot.org wrote: > > > On 2023-05-04 20:53, Aki Tuomi via dovecot wrote: > >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot > >> dovecot@dovecot.org wrote: > >> > >> > >> Hi all, > >> > >> So recently google has been trying to send email to dmarc@domain.com > >> on > >> my server but I'm using encrypted storage and since the dmarc user has > >> no password the email is being rejected with the error: > >> > >> May  4 16:51:50 domain dovecot: > >> lda(dmarc)<3326>: Error: sieve: > >> msgid=10341808348719730099@google.com: failed to store into mailbox > >> 'INBOX': generate_keypair(INBOX) failed: > >> mail_crypt_require_encrypted_user_key set, cannot generate user > >> keypair > >> without password or key > >> > >> How can I fix this, or at least read what the mail says? Would it be > >> safe to just give dmarc user a strong password? > > > > You can run > > > > doveadm mailbox cryptokey generate -U dmarc -N > > > > so the user will have a keypair generated. Then it should work. > > > > Aki > > I'm getting > > generate: invalid option -- 'N' > > should I just run it without -N ? > > Thank you!

Please keep responses on the list.

Try -n password? I have a faint recall of a buggy version like this.

Aki

...

Sorry for replying twice, I'm getting doveadm(root): Error: Couldn't drop privileges: User is missing UID (see mail_uid setting) when I try to run it without the -N op

Sorry, my bad.

doveadm mailbox cryptokey generate -U -u dmarc -n password

Aki This too gives me

generate: invalid option -- 'n'

So it seems. Have to investigate this.

In the mean time, can you try just

doveadm mailbox cryptokey generate -U -u dmarc

If you want, you can do

doveadm mailbox cryptokey password -u user -U -N

which hopefully should work.

Aki First one gives,

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key doveadm(dmarc): Warning: mailbox cryptokey generate: Nothing was matched. Use -U or specify mask? doveadm(dmarc): Panic: file mail-user.c: line 229 (mail_user_deinit): assertion failed: ((*user)->refcount == 1) doveadm(dmarc): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7fe3f93e04e2] -> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7fe3f93e05fe] -> /usr/lib/dovecot/libdovecot.so.0(+0xfc49b) [0x7fe3f93ec49b] -> /usr/lib/dovecot/libdovecot.so.0(+0xfc4d1) [0x7fe3f93ec4d1] -> /usr/lib/dovecot/libdovecot.so.0(+0x53aee) [0x7fe3f9343aee] -> /usr/lib/dovecot/libdovecot-storage.so.0(+0x407c9) [0x7fe3f94f47c9] -> doveadm(+0x31bcd) [0x55c2ab3d7bcd] -> doveadm(+0x32632) [0x55c2ab3d8632] -> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x22d) [0x55c2ab3d94ad] -> doveadm(doveadm_cmd_run_ver2+0x4c8) [0x55c2ab3e9b88] -> doveadm(doveadm_cmd_try_run_ver2+0x3a) [0x55c2ab3e9bda] -> doveadm(main+0x1d0) [0x55c2ab3c8450] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xea) [0x7fe3f8f9fd0a] -> doveadm(_start+0x2a) [0x55c2ab3c892a] Aborted

And the second one gives,

password: invalid option -- 'U'

Thank you for looking into it!

Sorry, this is bit annoying issue. Seems there was a slight oversight when this option was added.. anyways...

try

doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox cryptokey generate -U -u dmarc

maybe it works?

Aki This gives the same error as the above that starts with

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key

On 2023-05-05 09:09, Aki Tuomi via dovecot wrote:

...

On 05/05/2023 05:49 EEST efeizbudak--- via dovecot dovecot@dovecot.org wrote:

...

...

try

doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox cryptokey generate -U -u dmarc

maybe it works?

Aki This gives the same error as the above that starts with

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key

Ok, since this is getting too annoying I tested out that

doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey generate -u dmarc -U

at least works for me with that setting.

I've made an issue of this, because it's not supposed to work like this. Although it can end up as documentation task.

Aki That worked! Thank you!!

On 05/05/2023 14:57 EEST efeizbudak@disroot.org wrote:

On 2023-05-05 14:29, efeizbudak--- via dovecot wrote:

...

On 2023-05-05 09:09, Aki Tuomi via dovecot wrote:

...

...

On 05/05/2023 05:49 EEST efeizbudak--- via dovecot dovecot@dovecot.org wrote:

...

...

try

doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox cryptokey generate -U -u dmarc

maybe it works?

Aki This gives the same error as the above that starts with

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key

Ok, since this is getting too annoying I tested out that

doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey generate -u dmarc -U

at least works for me with that setting.

I've made an issue of this, because it's not supposed to work like this. Although it can end up as documentation task.

Aki That worked! Thank you!! Sorry, I've missed one important part. After running this command and creating the keys, the emails are now received fine on the account but how can I actually read them? I've tried to log into the account using something like

mutt -f imap://dmarc@domain.com/Inbox

but the login fails I guess because the user has keys but no password to login. How can I decrypt the mail on this account using the generated keys? I've also tried

doveadm fetch -u dmarc "text" MAILBOX INBOX UNSEEN

which gives me an error about password not being available.

Well yes. There have been so many threads on this on the mailing list so I'll just summarize it here:

If you are going to use per-user-passwords, you need to hash them. In config, you need to export this in passdb. Otherwise it will never end up in plugin environment. Hash them to avoid certain characters making a mess and also to make it more secure.

You **must** either make your users to log in to to Dovecot before receiving email, **or** include cryptokey management in your provisioning workflow. Remember to hash the password when providing it over -o plugin/mail_crypt_private_password.

Dovecot has no facility to ask the password over IMAP when you try to read the mail.

Doing per-user-password encryption is difficult to get right.

Aki