MailCrypt: Encrypted user keys configuration with LDAP & cryptokey generate

FELINN felinn at riseup.net
Thu Mar 28 01:08:12 EET 2019 

Hi, I try to use the MailCrypt plugin with Floder encryption and
encrypted user keys, using LDAP. I use Dovecot 2.2.27 (c0f36b0)
I follow the wiki: https://wiki2.dovecot.org/Plugins/MailCrypt

doveconf -n and dovecot-ldap.conf.ext attached to this message.

I well configured slapd to let dovecot's dn query the userPassword
(hashed password SSHA). I use fusiondirectory-mail plugin:

------------------------------------------------------------------------
$ ldapsearch -D 'cn=dovecot,ou=dsa,dc=foo,dc=bar' -W -LLL '(&(objectClass=gosaMailAccount)(objectClass=posixAccount)(uid=<user>))' 'userPassword'
dn: cn=<user>,ou=people,dc=foo,dc=bar
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
------------------------------------------------------------------------

The problem is that mails still readable and no keys are generated, even
if a send a mail to this address, or login through webmail. I wait more
than 1h until something happens, Cf:
https://dovecot.org/list/dovecot/2018-September/112763.html

If I try to generate keys manually I get this error:

------------------------------------------------------------------------
$ doeveadm mailbox cryptokey generate -u <user>
doveadm(<user>): Error: mail_crypt_user_generate_keypair(<user>) failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key
   Folder Public ID
x         ERROR: mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key
doveadm(<user>): Warning: Timeout leak: 0x7f0c439c0180 (mail-index-alloc-cache.c:240)
------------------------------------------------------------------------

It works with -o plugin/mail_crypt_private_password=<password> of
course, but by hand it's not the goal ><

I probably miss something, I guess that the part of the wiki about sql
and password_query is only for configuration that use SQL for dbuser. Is
there similar things to do with LDAP?

Thank you very much for your time.

-- 
f00wl
FELINN https://felinn.org

More information about the dovecot mailing list