bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
What it is way most best for causing bash script run (as root) of time mailbox created (lda_mailbox_autocreate)?
I use dovecot 2.3.4.1 in Debian 10.
And I use of mail-crypt-plugin https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
I setup mail-crypt for requiring user encrypted EC key (mail_crypt_require_encrypted_user_key = yes). I want for passphrase encrypt EC key using client plaintext password. There is credential no stored on server. But for user with use password too bad, I concatenate user plaintext password with random salt. And then string to SHA512() hash and use as decryption key (mail_crypt_private_password) for EC private key.
For above I have plugin config
mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp256k1 mail_crypt_require_encrypted_user_key = yes mail_crypt_save_version = 2 }
And for returning userdb_mail_crypt_private_password, I have sql query
password_query = SELECT username, password,
SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password
FROM virtual_users WHERE username='%u';
But how I generate key of user automatically? Note for generating key of user, I need user password plaintext. I never save plaintext password of user of the server.
Also user of note creates in PHP of web of the server. And for security I do not allow PHP exec shell (php.ini disabled_functions). Definitely not leaving PHP doveadm access!
For solving subject to generate user key encrypted, I do imap of call of the service 'imap-postlogin' the service likes document "Post-login scripting' write https://doc.dovecot.org/admin_manual/post_login_scripting/
And 'imap-postlogin' execute my custom script with 'script-login' binary https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05353...
Here it is config for above
service imap { executable = imap imap-postlogin } service imap-postlogin { executable = script-login /usr/local/bin/generateKeys.sh unix_listener imap-postlogin { } }
And generateKeys.sh it is script simple for generating keys with sha256() hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD} automatically put of 'userdb_mail_crypt_private_password' return of mysql field of query when documented https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundin...
Fields returned by userdb lookup with their keys uppercased (e.g. if userdb returned home, it's stored in HOME).
Here generatekeys.sh
#!/bin/bash if [
/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U > /dev/null | wc -l-lt 2 ]; then /usr/bin/doveadm -o "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" mailbox cryptokey generate -u "${USER}" -U > /dev/null fi exec "$@"
This work! But I want more good. By why execute each login? Possible has generateKeys.sh execute in the times only of dovecot create mailbox (lda_mailbox_autocreate) instead?
Technically creating and encrypting folder key does not require decrypting user's private key. All folder keys are encrypted with user's public key.
Problem is for that this is a new user. The new user has no private key. I need for generating that private key. It do not the sense encrypts something using a key public if there is no private key. Both key public and private is mathematically related and have to be created together. I am using the wrong command for creating the main user encrypted EC private key?
Directing my question primary: it is any way to have the dovecot executes a bash script in the time of the mailbox created (lda_mailbox_autocreate)?
Also, I notice extra behavior when I do:
- I creates user in mysql database
- I confirms it not exists mailbox for user
- I confirms it not exists cryptokeys for user
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U Folder Active Public ID root@localhost:/var/vmail#
- Before create mailbox or cryptokeys for user, I send mail from exist user to new user
- Postfix Delivers mail to dovecot
- The dovecot accepts mail for new user and create mailbox automatically (lda_mailbox_autocreate)
- I check and see that dovecot creates key of user
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U Folder Active Public ID yes XYZ root@localhost:/var/vmail#
How the possible??? I have put in settings of mail-crypt that keys of user have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I supply no key! How the dovecot creates main user encrypted public/private EC keypair without key of encryption given?
I confirm that element of post for 'newuser' is encrypted, but of course I can no decrypt the mail. I achieve error:
dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read() failed...Private key not available: Cannot decrypt key XYZ
No well for executing generateKeys.sh on user first login. What if the user receives email before first login? How I execute generateKeys.sh on create of mailbox and how I do emails incoming without any keypair created? For to reject or queue or save unencrypted until I generate keypair? It possible?
On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
Technically creating and encrypting folder key does not require decrypting user's private key. All folder keys are encrypted with user's public key.
Aki
On 08/12/2019 09:42 uxqex4efpu--- via dovecot < dovecot@dovecot.org> wrote:
What it is way most best for causing bash script run (as root) of time
mailbox created (lda_mailbox_autocreate)?
I use dovecot 2.3.4.1 in Debian 10.
And I use of mail-crypt-plugin
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
I setup mail-crypt for requiring user encrypted EC key
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512() hash
and use as decryption key (mail_crypt_private_password) for EC private
key.
For above I have plugin config
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp256k1
mail_crypt_require_encrypted_user_key = yes
mail_crypt_save_version = 2
}
And for returning userdb_mail_crypt_private_password, I have sql query
password_query = SELECT username, password, \
SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
FROM virtual_users WHERE username='%u';
But how I generate key of user automatically? Note for generating key of
user, I need user password plaintext. I never save plaintext password of
user of the server.
Also user of note creates in PHP of web of the server. And for security I
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!
For solving subject to generate user key encrypted, I do imap of call of
the service 'imap-postlogin' the service likes document "Post-login
scripting' write
https://doc.dovecot.org/admin_manual/post_login_scripting/
And 'imap-postlogin' execute my custom script with 'script-login' binary
https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05 3533/src/util/script-login.c
Here it is config for above
service imap {
executable = imap imap-postlogin
}
service imap-postlogin {
executable = script-login /usr/local/bin/generateKeys.sh
unix_listener imap-postlogin {
}
}
And generateKeys.sh it is script simple for generating keys with sha256()
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of mysql
field of query when documented
https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun dings
Fields returned by userdb lookup with their keys uppercased
(e.g. if userdb returned home, it's stored in HOME).
Here generatekeys.sh
#!/bin/bash
if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
/dev/null | wc -l` -lt 2 ]; then
/usr/bin/doveadm -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey generate -u "${USER}" -U > /dev/null
fi
exec "$@"
This work! But I want more good. By why execute each login? Possible has
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?
Aki Tuomi
It's a known issue that the password will be set to silly value, most likely 'yes'.
Hello Aki, thank you.
In fact, it appear for generating key unencrypted! I test for key of
encrypted or no with mailbox cryptokey export doveadm -Uu newuser.
I meeting for the keys create by dovecot in new email before key generates, I achieve key deprived even when I supply no any password.
root@localhost:/var/vmail# doveadm mailbox cryptokey export -Uu newuser Folder: Public ID: ABC Error: -----BEGIN PRIVATE KEY----- XYZ -----END PRIVATE KEY-----
I meeting for keys I generate before mail of dovecot of keypair generates, I have error encoding. I thinks "encoding error" means that the private key is encrypt, different from above.
Folder: ABC Public ID: ERROR: error:03070068:bignum routines:BN_mpi2bn:encoding error Error:
Exist better way for check if key encrypted or unencrypted? Very strange this when I use 'mail_crypt_require_encrypted_user_key = yes'. No expected.
The possible for to add on post of documentation of the plugin mail-crypt? May I recommend to add notices in "Encrypted user keys" https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/encrypted-use...
Note: If ‘yes’ it set ‘mail_crypt_require_encrypted_user_key’, the dovecot it can create and store unencrypted key on disk if the user receives the mail before generates keypair.
I think this very important to document. Thank you!
You should generate the user key during provisioning with
doveadm cryptokey generate -Uu user -n password.
This no possible. I users of provision in PHP, and the very important I do
not allow PHP has shell/exec access (php.ini disabled_functions). PHP has
mysql access only. I see no the safe way for PHP has the permission
executes doveadm.
But I meeting solution!
I test dovecot put autocreate disable (lda_mailbox_autocreate = no), but it still autocreate! And autocreate create mail broken user of crypt keypair.
But it possible stop autocreate! I read here dovecot no autocreate if I 'mail_location' not defining! That I delete 'mail_location' of dovecot config, and now first email send to new user before user keypair generates error of product. Well!
postfix/lmtp...[Private/dovecot-lmtp] said: 451 4.3.0 newuser@localhost.localdomain Provisional internal error (in reply for finish of order of DATA))
And I update my post-login script generateKeys.sh for including 'mail-location':
#!/bin/bash
# string sanitization checks USER=${USER//\"/} MAIL_CRYPT_PRIVATE_PASSWORD=${MAIL_CRYPT_PRIVATE_PASSWORD//\"/} echo "${USER}" | grep -E '^[0-9A-Za-z]{1,100}$' > /dev/null || exit 1 echo "${MAIL_CRYPT_PRIVATE_PASSWORD}" | grep -E '^[0-9A-Za-z]{128}$' > /dev/null || exit 1
# this list command outputs one human-readable "header" line always # if there is at least one key, it will output two or more lines # if there are no keys for the given user, it will have less than two lines if [
/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U | wc -l-lt 2 ]; then /usr/bin/doveadm -o "mail_location=maildir:~/Maildir/" -o "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" mailbox cryptokey > generate -u "${USER}" -U > /dev/null fiexec "$@"
Now it work! Mail-crypt plugin not create bad key for to lockout user. Now first login generates user keypair using salted password hash of user and never store on server. Very good!
On Sun, December 8, 2019 18:15, Aki Tuomi via dovecot wrote:
It's a known issue that the password will be set to silly value, most likely 'yes'.
You should generate the user key during provisioning with
doveadm cryptokey generate -Uu user -n password.Aki
On 08/12/2019 16:22 uxqex4efpu@elude.in wrote:
Technically creating and encrypting folder key does not
require decrypting user's private key. All folder keys
are encrypted with user's public key.
Problem is for that this is a new user. The new user has no private key. I
need for generating that private key. It do not the sense encrypts
something using a key public if there is no private key. Both key public
and private is mathematically related and have to be created together. I
am using the wrong command for creating the main user encrypted EC private
key?
Directing my question primary: it is any way to have the dovecot executes
a bash script in the time of the mailbox created (lda_mailbox_autocreate)?
Also, I notice extra behavior when I do:
I creates user in mysql database
I confirms it not exists mailbox for user
I confirms it not exists cryptokeys for user
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
Folder Active Public ID
root@localhost:/var/vmail#
- Before create mailbox or cryptokeys for user, I send mail from exist
user to new user
Postfix Delivers mail to dovecot
The dovecot accepts mail for new user and create mailbox automatically
(lda_mailbox_autocreate)
- I check and see that dovecot creates key of user
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
Folder Active Public ID
yes XYZ
root@localhost:/var/vmail#
How the possible??? I have put in settings of mail-crypt that keys of user
have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
supply no key! How the dovecot creates main user encrypted public/private
EC keypair without key of encryption given?
I confirm that element of post for 'newuser' is encrypted, but of course I
can no decrypt the mail. I achieve error:
dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
failed...Private key not available: Cannot decrypt key XYZ
No well for executing generateKeys.sh on user first login. What if the
user receives email before first login? How I execute generateKeys.sh on
create of mailbox and how I do emails incoming without any keypair
created? For to reject or queue or save unencrypted until I generate
keypair? It possible?
On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
Technically creating and encrypting folder key does not require
decrypting user's private key. All folder keys are encrypted with user's
public key.
Aki
On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
dovecot@dovecot.org>
wrote:
What it is way most best for causing bash script run (as root) of time
mailbox created (lda_mailbox_autocreate)?
I use dovecot 2.3.4.1 in Debian 10.
And I use of mail-crypt-plugin
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
I setup mail-crypt for requiring user encrypted EC key
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512()
hash
and use as decryption key (mail_crypt_private_password) for EC private
key.
For above I have plugin config
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp256k1
mail_crypt_require_encrypted_user_key = yes
mail_crypt_save_version = 2
}
And for returning userdb_mail_crypt_private_password, I have sql query
password_query = SELECT username, password, \
SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
FROM virtual_users WHERE username='%u';
But how I generate key of user automatically? Note for generating key of
user, I need user password plaintext. I never save plaintext password of
user of the server.
Also user of note creates in PHP of web of the server. And for security I
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!
For solving subject to generate user key encrypted, I do imap of call of
the service 'imap-postlogin' the service likes document "Post-login
scripting' write
https://doc.dovecot.org/admin_manual/post_login_scripting/
And 'imap-postlogin' execute my custom script with 'script-login' binary
https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05
3533/src/util/script-login.c
Here it is config for above
service imap {
executable = imap imap-postlogin
}
service imap-postlogin {
executable = script-login /usr/local/bin/generateKeys.sh
unix_listener imap-postlogin {
}
}
And generateKeys.sh it is script simple for generating keys with sha256()
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of mysql
field of query when documented
https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun
dings
Fields returned by userdb lookup with their keys uppercased
(e.g. if userdb returned home, it's stored in HOME).
Here generatekeys.sh
#!/bin/bash
if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
/dev/null | wc -l` -lt 2 ]; then
/usr/bin/doveadm -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey generate -u "${USER}" -U > /dev/null
fi
exec "$@"
This work! But I want more good. By why execute each login? Possible has
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?
Aki Tuomi
Aki Tuomi
participants (2)
-
Aki Tuomi
-
uxqex4efpu@elude.in