In Dovecot 2.3 I had used the following query:

password_query =
SELECT USER.user, USER.host,
SECRET.password, SECRET.public_key AS mail_crypt_global_public_key, SECRET.private_key AS mail_crypt_global_private_key
FROM USER
WHERE USER.user = '%Lu'

This worked fine, enabling encryption and decryption properly.

For Dovecot 2.4 this does not work anymore. Example from LMTP:

Dec 11 15:02:59 lmtp(975838): Info: lmtp-server: conn unix:pid=975905,uid=113 [1]: rcpt user@test.de: <Ti6aNxPPOmne4w4APAc66w>: Failed to send message to <user@test.de> at server:24: 451 4.2.0 <user@test.de> get_public_key(INBOX) failed: mailbox_attribute_get(INBOX, /shared/vendor/vendor.dovecot/pvt/crypt/active) failed: Mailbox attributes not enabled (1/1 at 12 ms)

I tried to adapt it to Dovecot 2.4 per the documentation, ending up with this:

query =
SELECT
USER.user, USER.host,
SECRET.password,
concat('inline:', SECRET.public_key) AS crypt_global_public_key_file,
'main' AS crypt_global_private_key,
concat('inline:', SECRET.private_key) AS 'crypt_global_private_key/main/crypt_private_key_file'
FROM USER
WHERE USER.user = '%{user | lower}'

Still the error message:

get_public_key(INBOX) failed: mailbox_attribute_get(INBOX, /shared/vendor/vendor.dovecot/pvt/crypt/active) failed: Mailbox attributes not enabled

Additionally I tried without the "inline:" prefix, because without,

doveadm mailbox cryptokey list

would return a "no such file or directory error" trying to treat the key as a filename.

With the "inline:" prefix it returns nothing except a warning:

Warning: mailbox cryptokey list: Nothing was matched. Use -U or specify mask?

What is the right way to proceed here?