Mailcrypt plugin private password

Aki Tuomi aki.tuomi at open-xchange.com
Wed Sep 4 10:36:30 EEST 2019


PKCS5 is a password based key derivation function. The linked
documentation has information what you can use here.

Aki

On 4.9.2019 10.06, info at unkn0wn3d.com wrote:
> Is any of the password schemes supported or is there a reason you
> chose pkcs5?
>
>
>
> 4. Sep. 2019, 08:45 von aki.tuomi at open-xchange.com:
>
>     It should pick up the password used by the user, there is a caveat
>     here though. The keypair is created on first use, so password will
>     be initialized to empty string going thru pkcs5. This is slightly
>     inconvenient.
>
>     To avoid this, you should probably have
>
>     protocol imap {
>
>         passdb {
>
>           driver = static
>
>           args =
>     userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>
>     }
>
>     and initialize the keypair using doveadm and set the password to
>     this value there.
>
>
>     This requires some user management tools though so that the
>     password is changed with doveadm when user changes  their password.
>
>     Another alternative is to keep the private password in database,
>     you can use the var expand encryption plugin to make sure it's
>     decryptable with the user's password. See
>     https://doc.dovecot.org/configuration_manual/config_file/config_variables/
>     for details.
>
>     Key management is pretty much the most difficult thing in mail
>     crypt plugin =)
>
>     Aki
>
>
>     On 4.9.2019 9.40, info--- via dovecot wrote:
>>     Do I have to replace the "password" part with the actual password
>>     or can I just copy it like that?
>>
>>     Will dovecot create the keypair automatically or do I have to use
>>     doveadm?
>>
>>
>>     4. Sep. 2019, 08:33 von aki.tuomi at open-xchange.com
>>     <mailto:aki.tuomi at open-xchange.com>:
>>
>>
>>         On 4.9.2019 9.21, **** **** via dovecot wrote:
>>>         Hello there,
>>>
>>>         is there a way to make the mailcrypt plugin use the user's
>>>         password or at least store it in a hashed value?
>>>
>>>         I'm using a passwd file for authentication.
>>>
>>>         I feel uncomfortable saving the private password in
>>>         plaintext in that file.
>>>
>>>         Regards
>>
>>
>>         You can try in passdb return
>>
>>         userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>>
>>         Aki
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/d166a1ea/attachment-0001.html>


More information about the dovecot mailing list