bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

uxqex4efpu at elude.in uxqex4efpu at elude.in
Mon Dec 9 16:09:33 EET 2019


> It's a known issue that the password will be set to silly
> value, most likely 'yes'.

Hello Aki, thank you.

In fact, it appear for generating key unencrypted! I test for key of
encrypted or no with `mailbox cryptokey export doveadm -Uu newuser`.

I meeting for the keys create by dovecot in new email before key
generates, I achieve key deprived even when I supply no any password.

>   root at localhost:/var/vmail# doveadm mailbox cryptokey export -Uu newuser
>   Folder:
>   Public ID: ABC
>   Error:
>   -----BEGIN PRIVATE KEY-----
>   XYZ
>   -----END PRIVATE KEY-----

I meeting for keys I generate before mail of dovecot of keypair generates,
I have error encoding. I thinks "encoding error" means that the private
key is encrypt, different from above.

>   Folder: ABC
>   Public ID: ERROR: error:03070068:bignum routines:BN_mpi2bn:encoding error
>   Error:

Exist better way for check if key encrypted or unencrypted? Very strange
this when I use 'mail_crypt_require_encrypted_user_key = yes'. No
expected.

The possible for to add on post of documentation of the plugin mail-crypt?
May I recommend to add notices in "Encrypted user keys"
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/encrypted-user-keys

> Note: If ‘yes’ it set ‘mail_crypt_require_encrypted_user_key’,
> the dovecot it can create and store unencrypted key on
> disk if the user receives the mail before generates keypair.

I think this very important to document. Thank you!

> You should generate the user key
> during provisioning with
> `doveadm cryptokey generate -Uu user -n password`.

This no possible. I users of provision in PHP, and the very important I do
not allow PHP has shell/exec access (php.ini disabled_functions). PHP has
mysql access only. I see no the safe way for PHP has the permission
executes `doveadm`.

But I meeting solution!

I test dovecot put autocreate disable (lda_mailbox_autocreate = no), but
it still autocreate! And autocreate create mail broken user of crypt
keypair.

But it possible stop autocreate! I read here dovecot no autocreate if  I
'mail_location' not defining! That I delete 'mail_location' of dovecot
config, and now first email send to new user before user keypair generates
error of product. Well!

>   postfix/lmtp...[Private/dovecot-lmtp] said: 451 4.3.0
<newuser at localhost.localdomain> Provisional internal error (in reply
for finish of order of DATA))

And I update my post-login script generateKeys.sh for including
'mail-location':

>   #!/bin/bash
>
>   # string sanitization checks
>   USER=${USER//\"/}
>   MAIL_CRYPT_PRIVATE_PASSWORD=${MAIL_CRYPT_PRIVATE_PASSWORD//\"/}
>   echo "${USER}" | grep -E '^[0-9A-Za-z]{1,100}$' > /dev/null || exit 1
>   echo "${MAIL_CRYPT_PRIVATE_PASSWORD}" | grep -E '^[0-9A-Za-z]{128}$' >
/dev/null || exit 1
>
>   # this list command outputs one human-readable "header" line always
>   # if there is at least one key, it will output two or more lines
>   # if there are no keys for the given user, it will have less than two
lines
>   if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U | wc -l`
-lt 2 ]; then
>           /usr/bin/doveadm -o "mail_location=maildir:~/Maildir/" -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey >   generate -u "${USER}" -U > /dev/null
>   fi
>
>   exec "$@"

Now it work! Mail-crypt plugin not create bad key for to lockout user. Now
first login generates user keypair using salted password hash of user and
never store on server. Very good!


On Sun, December 8, 2019 18:15, Aki Tuomi via dovecot wrote:
>

> It's a known issue that the password will be set to silly value, most
> likely 'yes'.
>
>
>
>
> You should generate the user key during provisioning with `doveadm
> cryptokey generate -Uu user -n password`.
>
>
>
>
> Aki
>
>
> On 08/12/2019 16:22
     uxqex4efpu at elude.in wrote:
>
>
>
>
>
>
>
>
> Technically creating and encrypting folder key does not
>
>
> require decrypting user's private key. All folder keys
>
> are encrypted with user's public key.
>
> Problem is for that this is a new user. The new user has no private key.
> I
>
>
> need for generating that private key. It do not the sense encrypts
>
> something using a key public if there is no private key. Both key public
>
> and private is mathematically related and have to be created together. I
>
> am using the wrong command for creating the main user encrypted EC
> private
>
> key?
>
>
>
>
> Directing my question primary: it is any way to have the dovecot executes
>
>
> a bash script in the time of the mailbox created
> (lda_mailbox_autocreate)?
>
>
>
>
>
> Also, I notice extra behavior when I do:
>
>
>
>
>
> 1. I creates user in mysql database
>
>
> 2. I confirms it not exists mailbox for user
>
>
> 3. I confirms it not exists cryptokeys for user
>
>
>
>
>
> root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
>
>
> Folder Active Public ID
>
>
> root at localhost:/var/vmail#
>
>
> 4. Before create mailbox or cryptokeys for user, I send mail from exist
>
>
> user to new user
>
> 5. Postfix Delivers mail to dovecot
>
>
> 6. The dovecot accepts mail for new user and create mailbox automatically
>
>
> (lda_mailbox_autocreate)
>
>
> 7. I check and see that dovecot creates key of user
>
>
>
>
>
> root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
>
>
> Folder Active Public ID
>
>
> yes XYZ
>
> root at localhost:/var/vmail#
>
>
> How the possible??? I have put in settings of mail-crypt that keys of
> user
>
> have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
>
>
> supply no key! How the dovecot creates main user encrypted public/private
>
>
> EC keypair without key of encryption given?
>
>
>
>
>
> I confirm that element of post for 'newuser' is encrypted, but of course
> I
>
>
> can no decrypt the mail. I achieve error:
>
>
>
>
> dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
>
>
> failed...Private key not available: Cannot decrypt key XYZ
>
> No well for executing generateKeys.sh on user first login. What if the
>
>
> user receives email before first login? How I execute generateKeys.sh on
>
> create of mailbox and how I do emails incoming without any keypair
>
> created? For to reject or queue or save unencrypted until I generate
>
> keypair? It possible?
>
>
>
>
> On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
>
>
> >
>
>
>
>
>
> Technically creating and encrypting folder key does not require
>
>
> decrypting user's private key. All folder keys are encrypted with user's
>
> public key.
>
> >
>
>
> >
>
>
> >
>
>
> Aki
>
>
> >
>
>
> On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
>
>
> dovecot at dovecot.org>
>
> wrote:
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> What it is way most best for causing bash script run (as root) of time
>
>
> >
>
>
> mailbox created (lda_mailbox_autocreate)?
>
> >
>
>
> >
>
>
> >
>
>
> I use dovecot 2.3.4.1 in Debian 10.
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> And I use of mail-crypt-plugin
>
>
> >
>
>
> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> I setup mail-crypt for requiring user encrypted EC key
>
>
> >
>
>
> (mail_crypt_require_encrypted_user_key = yes). I want for passphrase
>
>
> >
>
>
> encrypt EC key using client plaintext password. There is credential no
>
> stored on server. But for user with use password too bad, I concatenate
>
> user plaintext password with random salt. And then string to SHA512()
>
> hash
>
> and use as decryption key (mail_crypt_private_password) for EC private
>
> key.
>
> >
>
>
> >
>
>
> >
>
>
> For above I have plugin config
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> mail_plugins = $mail_plugins mail_crypt
>
> plugin {
>
> mail_crypt_curve = secp256k1
>
> mail_crypt_require_encrypted_user_key = yes
>
> mail_crypt_save_version = 2
>
> }
>
>
> >
>
>
> And for returning userdb_mail_crypt_private_password, I have sql query
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> password_query = SELECT username, password, \
>
> SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
>
>
> >
>
>
> FROM virtual_users WHERE username='%u';
>
>
> >
>
>
> But how I generate key of user automatically? Note for generating key of
>
>
> >
>
>
> user, I need user password plaintext. I never save plaintext password of
>
> user of the server.
>
> >
>
>
> >
>
>
> >
>
>
> Also user of note creates in PHP of web of the server. And for security I
>
>
> >
>
>
> do not allow PHP exec shell (php.ini disabled_functions). Definitely not
>
> leaving PHP doveadm access!
>
> >
>
>
> >
>
>
> >
>
>
> For solving subject to generate user key encrypted, I do imap of call of
>
>
> >
>
>
> the service 'imap-postlogin' the service likes document "Post-login
>
> scripting' write
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> And 'imap-postlogin' execute my custom script with 'script-login' binary
>
>
> >
>
>
> https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05
>
>
> 3533/src/util/script-login.c
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> Here it is config for above
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> service imap {
>
> executable = imap imap-postlogin
>
> }
>
>
> >
>
>
> service imap-postlogin {
>
> executable = script-login /usr/local/bin/generateKeys.sh
>
> unix_listener imap-postlogin {
>
> }
>
>
> >
>
>
> }
>
>
> >
>
>
> And generateKeys.sh it is script simple for generating keys with sha256()
>
>
> >
>
>
> hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
>
> automatically put of 'userdb_mail_crypt_private_password' return of mysql
>
>
> >
>
>
> field of query when documented
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun
>
>
> dings
>
> >
>
>
> >
>
>
> >
>
>
> Fields returned by userdb lookup with their keys uppercased
>
>
> >
>
>
> (e.g. if userdb returned home, it's stored in HOME).
>
>
> >
>
>
> Here generatekeys.sh
>
>
> >
>
>
> >
>
>
> >
>
>
> >
>
>
> #!/bin/bash
>
>
> >
>
>
> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
>
> /dev/null | wc -l` -lt 2 ]; then
>
>
> >
>
>
> /usr/bin/doveadm -o
>
>
> >
>
>
> "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
>
>
> >
>
>
> mailbox cryptokey generate -u "${USER}" -U > /dev/null
>
> fi
>
> exec "$@"
>
> This work! But I want more good. By why execute each login? Possible has
>
>
> >
>
>
> generateKeys.sh execute in the times only of dovecot create mailbox
>
> (lda_mailbox_autocreate) instead?
>
>
> >
>
>
> >
>
>
> >
>
>
> ---
>
>
> Aki Tuomi
>
>
> >
>
>
> >
>
>
>
>
> ---
 Aki Tuomi
>
>




More information about the dovecot mailing list