This bug was submitted on an Ubuntu Jammy system with FIPS enabled. Here is the Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107773

Pull Request submitted: https://github.com/dovecot/core/pull/241

[ Impact ]

When one enables FIPS mode on a Jammy system and then attempts to use Dovecot to create an encrypted mailbox, the module returns a invalid salt length error.

FIPS mode requires a 16 byte salt for PBEKDF2 and Dovecot is only requesting 8 bytes of salt. The solution is to modify Dovecot to request 16 bytes of salt.

[ Test Plan ]

Install Dovecot on the system

• sudo apt install dovecot-auth-lua dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-solr dovecot-sqlite dovecot-submissiond

Enable mailbox encryption.

• Add /etc/dovecot/conf.d//mail-crypt.conf to enable mailbox encryption: mail_location = mbox:~/mail:INBOX=/var/mail/%u listen = * mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts }

mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd }

mail_plugins = $mail_plugins mail_crypt

plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version=2 }

mail_attribute_dict = file:%h/Maildir/dovecot-attributes imap_metadata = yes

Issue the following command to create an encrypted mailbox:

• sudo doveadm -o plugin/mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u

Verify that no error occurs.

Enable FIPS on a Jammy system.

• sudo pro attach

  • sudo pro enable fips-updates
  • sudo reboot

Reboot

Delete the mailbox

• rm -rf ~/mail

Issue the following command to create an encrypted mailbox:

• sudo doveadm -o plugin/mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u <username>

Verify that an error occurs.

Update Dovecot to the fixed version.

Repeat the commands to delete the mailbox and to create an encrypted mailbox.

After installing the fix, verify that no error occurs.

[ Where problems could occur ]

• The increased salt size of 16 bytes could potentially cause issues in allocated data structures, but I've attempted to mitigate this by increasing the size of potentially problematic data structures.

[ Other Info ]

This is really only needed on systems where FIPS is supported, i.e. Jammy and Noble and 26.04.

This bug was submitted on an Ubuntu Jammy system with FIPS enabled. Here is the Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107773 Pull Request submitted: https://github.com/dovecot/core/pull/241  [ Impact ] * When one enables FIPS mode on a Jammy system and then attempts to use Dovecot to create an encrypted mailbox, the module returns a invalid salt length error. * FIPS mode requires a 16 byte salt for PBEKDF2 and Dovecot is only requesting 8 bytes of salt. The solution is to modify Dovecot to request 16 bytes of salt. [ Test Plan ] * Install Dovecot on the system o sudo apt install dovecot-auth-lua dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot- solr dovecot-sqlite dovecot-submissiond * Enable mailbox encryption. o Add /etc/dovecot/conf.d//mail-crypt.conf to enable mailbox encryption: mail_location = mbox:~/mail:INBOX=/var/mail/%u listen = * mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version=2 } mail_attribute_dict = file:%h/Maildir/dovecot-attributes imap_metadata = yes * Issue the following command to create an encrypted mailbox: o sudo doveadm -o plugin/ mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u * Verify that no error occurs. * Enable FIPS on a Jammy system. o sudo pro attach o sudo pro enable fips-updates o sudo reboot  * Reboot * Delete the mailbox o rm -rf ~/mail * Issue the following command to create an encrypted mailbox: o sudo doveadm -o plugin/ mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u <username> * Verify that an error occurs. * Update Dovecot to the fixed version. * Repeat the commands to delete the mailbox and to create an encrypted mailbox. * After installing the fix, verify that no error occurs. [ Where problems could occur ] * The increased salt size of 16 bytes could potentially cause issues in allocated data structures, but I've attempted to mitigate this by increasing the size of potentially problematic data structures. [ Other Info ] This is really only needed on systems where FIPS is supported, i.e. Jammy and Noble and 26.04.