Hi all,
I am trying to setup mailbox sharing (not public mailboxes) together with mail-crypt plugin and encrypted folder keys.
According to the source code of the mail-crypt plugin (there's code trying to retrieve private keys for shared mailboxes), and its documentation, this should be possible:
If you are using global keys, mails can be shared within the key scope. The global key can be provided with several different scopes:
Global scope: key is configured in dovecot.conf file
Per-user(group) scope: key is configured in userdb fileWith folder keys, key sharing can be done to single user, or multiple users. When key is shared to single user, and the user has public key available, the folder key is encrypted to recipient’s public key.
If you have mail_crypt_acl_require_secure_key_sharing enabled, you can’t share the key to groups or someone with no public key.
The documentation mentions key sharing, but I have no idea how this could be implemented, and did not find anything else than this mail- crypt documentation in the whole web...
I assume that I need to export the user key of the users's folder that should be shared, and import it into the receiving users keys, encrypted with the receiving user's key.
Is that right? Any hints how to do that?
Regards,
Robert
-- Robert Senger
This is the error I get in the dovecot logs when a user tries to access a shared mailbox encrypted with another user's folder key:
Jul 11 18:45:27 prokyon dovecot: imap(user1@mydomain.net)<5015><bTtn0zgABpP9EChC8NEBAa8xnEHdawfA>: Error: Mailbox Shared/user2@mydomain.net/INBOX: UID=2306: read() failed: read(/home/vmail/mydomain.net/user2/cur/1689031994.M621413P6856.prokyon,S=774,W=790:2,S) failed: Decryption error: no private key available (read reason=) Jul 11 18:45:27 prokyon dovecot: imap(user1@mydomain.net)<5015><bTtn0zgABpP9EChC8NEBAa8xnEHdawfA>: FETCH failed: Internal error occurred. Refer to server log for more information. [2023-07-11 18:45:27] in=526 out=1604 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=0 body_count=0 body_bytes=0
ACLs allowing access are set.
Robert
Am Dienstag, dem 11.07.2023 um 18:10 +0200 schrieb Robert Senger:
Hi all,
I am trying to setup mailbox sharing (not public mailboxes) together with mail-crypt plugin and encrypted folder keys.
According to the source code of the mail-crypt plugin (there's code trying to retrieve private keys for shared mailboxes), and its documentation, this should be possible:
If you are using global keys, mails can be shared within the key scope. The global key can be provided with several different scopes:
Global scope: key is configured in dovecot.conf file
Per-user(group) scope: key is configured in userdb file
With folder keys, key sharing can be done to single user, or multiple users. When key is shared to single user, and the user has public key available, the folder key is encrypted to recipient’s public key.
If you have mail_crypt_acl_require_secure_key_sharing enabled, you can’t share the key to groups or someone with no public key.
The documentation mentions key sharing, but I have no idea how this could be implemented, and did not find anything else than this mail- crypt documentation in the whole web...
I assume that I need to export the user key of the users's folder that should be shared, and import it into the receiving users keys, encrypted with the receiving user's key.
Is that right? Any hints how to do that?
Regards,
Robert
-- Robert Senger
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- Robert Senger
Okay, after digging into the source code of mail-crypt-plugin.c and doveadm-mail-crypt.c, it was clear that doveadm should do the trick.
But it didn't...
Further digging into doveadm-mail-crypt.c lead me to mail-crypt-acl- plugin.c which revealed that there must be an additional plugin called mail-crypt-acl that must be activated. Found that module in /usr/lib/dovecot/modules/, activated it (mail_plugins = $mail_plugins mail_crypt mail_crypt_acl), recreated ACLs (with plugin/mail_crypt_private_password=<password> option), et voila...
NOTE: This isn't documented anywhere! The whole www does not know about the existence of the mail_crypt_acl plugin (6 irrelevant/identical results on google). Even ChatGPT fails... ;)
Please add this to the mail-crypt plugin documentation on this page: https://doc.dovecot.org/3.0/configuration_manual/mail_crypt_plugin/#mail-cry...
Thanks,
Robert
Am Dienstag, dem 11.07.2023 um 18:10 +0200 schrieb Robert Senger:
Hi all,
I am trying to setup mailbox sharing (not public mailboxes) together with mail-crypt plugin and encrypted folder keys.
According to the source code of the mail-crypt plugin (there's code trying to retrieve private keys for shared mailboxes), and its documentation, this should be possible:
If you are using global keys, mails can be shared within the key scope. The global key can be provided with several different scopes:
Global scope: key is configured in dovecot.conf file
Per-user(group) scope: key is configured in userdb file
With folder keys, key sharing can be done to single user, or multiple users. When key is shared to single user, and the user has public key available, the folder key is encrypted to recipient’s public key.
If you have mail_crypt_acl_require_secure_key_sharing enabled, you can’t share the key to groups or someone with no public key.
The documentation mentions key sharing, but I have no idea how this could be implemented, and did not find anything else than this mail- crypt documentation in the whole web...
I assume that I need to export the user key of the users's folder that should be shared, and import it into the receiving users keys, encrypted with the receiving user's key.
Is that right? Any hints how to do that?
Regards,
Robert
-- Robert Senger
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- Robert Senger
participants (1)
-
Robert Senger