bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
uxqex4efpu at elude.in
uxqex4efpu at elude.in
Sun Dec 8 09:42:33 EET 2019
What it is way most best for causing bash script run (as root) of time
mailbox created (lda_mailbox_autocreate)?
I use dovecot 2.3.4.1 in Debian 10.
And I use of mail-crypt-plugin
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
I setup mail-crypt for requiring user encrypted EC key
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512() hash
and use as decryption key (mail_crypt_private_password) for EC private
key.
For above I have plugin config
> mail_plugins = $mail_plugins mail_crypt
> plugin {
> mail_crypt_curve = secp256k1
> mail_crypt_require_encrypted_user_key = yes
> mail_crypt_save_version = 2
> }
And for returning userdb_mail_crypt_private_password, I have sql query
> password_query = SELECT username, password, \
> SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
> FROM virtual_users WHERE username='%u';
But how I generate key of user automatically? Note for generating key of
user, I need user password plaintext. I never save plaintext password of
user of the server.
Also user of note creates in PHP of web of the server. And for security I
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!
For solving subject to generate user key encrypted, I do imap of call of
the service 'imap-postlogin' the service likes document "Post-login
scripting' write
https://doc.dovecot.org/admin_manual/post_login_scripting/
And 'imap-postlogin' execute my custom script with 'script-login' binary
https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c
Here it is config for above
> service imap {
> executable = imap imap-postlogin
> }
> service imap-postlogin {
> executable = script-login /usr/local/bin/generateKeys.sh
> unix_listener imap-postlogin {
> }
> }
And generateKeys.sh it is script simple for generating keys with sha256()
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of mysql
field of query when documented
https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings
> Fields returned by userdb lookup with their keys uppercased
> (e.g. if userdb returned home, it's stored in HOME).
Here generatekeys.sh
> #!/bin/bash
> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
/dev/null | wc -l` -lt 2 ]; then
> /usr/bin/doveadm -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey generate -u "${USER}" -U > /dev/null
> fi
> exec "$@"
This work! But I want more good. By why execute each login? Possible has
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?
More information about the dovecot
mailing list