Percent character in mail_crypt_private_password not possible

Aki Tuomi aki.tuomi at
Thu Jul 4 12:18:23 EEST 2019

On 2.7.2019 23.27, mabi wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, July 2, 2019 6:32 PM, Aki Tuomi via dovecot <dovecot at> wrote:
>> I don't actually recommend using password directly from user as password for private keys, I recommend running them thru some hash / pkcs5 before that.
> That's a great idea and makes things even safer. I don't know much about PKCS5 but would SHA512 also be safe enough for hashing the password?
> SHA512 would then generate a 128 characters hash which I would then pass to the parameter "-o plugin/mail_crypt_private_password=" of my "doveadm mailbox cryptokey generate ..." command.

It depends. You can use either one, see

I think the safest option would be setup LDAP so that the private
password would be only readable by self, and have dovecot use bind
authentication. This way you can export it only when you successfully
log in to LDAP.


More information about the dovecot mailing list