Mailcrypt plugin private password
Aki Tuomi
aki.tuomi at open-xchange.com
Wed Sep 4 09:45:09 EEST 2019
It should pick up the password used by the user, there is a caveat here
though. The keypair is created on first use, so password will be
initialized to empty string going thru pkcs5. This is slightly inconvenient.
To avoid this, you should probably have
protocol imap {
passdb {
driver = static
args =
userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
}
and initialize the keypair using doveadm and set the password to this
value there.
This requires some user management tools though so that the password is
changed with doveadm when user changes their password.
Another alternative is to keep the private password in database, you can
use the var expand encryption plugin to make sure it's decryptable with
the user's password. See
https://doc.dovecot.org/configuration_manual/config_file/config_variables/
for details.
Key management is pretty much the most difficult thing in mail crypt
plugin =)
Aki
On 4.9.2019 9.40, info--- via dovecot wrote:
> Do I have to replace the "password" part with the actual password or
> can I just copy it like that?
>
> Will dovecot create the keypair automatically or do I have to use doveadm?
>
>
> 4. Sep. 2019, 08:33 von aki.tuomi at open-xchange.com:
>
>
> On 4.9.2019 9.21, **** **** via dovecot wrote:
>> Hello there,
>>
>> is there a way to make the mailcrypt plugin use the user's
>> password or at least store it in a hashed value?
>>
>> I'm using a passwd file for authentication.
>>
>> I feel uncomfortable saving the private password in plaintext in
>> that file.
>>
>> Regards
>
>
> You can try in passdb return
>
> userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>
> Aki
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/6d88b5ae/attachment.html>
More information about the dovecot
mailing list