mail-crypt-plugin: encrypted user keys

Aki Tuomi aki.tuomi at open-xchange.com
Fri May 28 12:57:06 EEST 2021


Hi!

This is because you do not have private password set during delivery. To use this feature like this you need to make sure the user keys are generated using doveadm mail cryptokey generate -u user -U before delivery.

Aki

> On 28/05/2021 12:54 Daniel Schuermann <dovecot at 2718282.net> wrote:
> 
>  
> Hi,
> 
> I tried to enable encrypted folder keys using mail-crypt-plugin.
> It works as expected when using unencrypted folder keys.
> When I add
> 
>    mail_crypt_require_encrypted_user_key = yes
> 
> as shown below, I somehow manage to crash dovecot:
> 
>  dovecot: lmtp(82060): Fatal: master: service(lmtp):
>   child 82060 killed with signal 6 (core not dumped -
>   https://dovecot.org/bugreport.html#coredumps -
>   set service lmtp { drop_priv_before_exec=yes })
> 
>  dovecot: lmtp(67814): Panic: file mail-user.c: line 229 (mail_user_deinit):
>   assertion failed: ((*user)->refcount== 1)
> 
>  lmtp(root): Info: msgid=<07e3a23b2aaea60b at mx.2718282.net>:
>   save failed to INBOX: generate_keypair(INBOX) failed:
>   mail_crypt_require_encrypted_user_key set,
>   cannot generate user keypair without password or key
> 
> My config files:
> 
> # 2.3.14 (cee3cbc0d): /etc/mail/imap.conf
> # OS: OpenBSD 6.9 amd64
> auth_verbose = yes
> debug_log_path = /var/log/dovecot
> info_log_path = /var/log/dovecot
> mail_attribute_dict = file:%h/Maildir/dovecot-attributes
> mail_debug = yes
> namespace inbox {
>  ...
> }
> passdb {
>   args = /etc/mail/imap-sqlite.conf
>   driver = sql
> }
> plugin {
>   mail_crypt_curve = secp521r1
>   mail_crypt_require_encrypted_user_key = yes
>   mail_crypt_save_version = 2
> }
> protocols = imap lmtp
> service imap-login {
>  ...
> }
> ssl = required
> ssl_cert = </etc/ssl/rsa.crt
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> userdb {
>   args = /etc/mail/imap-sqlite.conf
>   driver = sql
>   override_fields = uid=vmail gid=vmail
> }
> 
> # file: /etc/mail/imap-sqlite.conf
> driver = sqlite
> connect = /etc/mail/sqlite.db
> default_pass_scheme = BLF-CRYPT
> user_query = SELECT '/home/vmail/'||destination AS home FROM virtuals WHERE email = '%u'
> password_query = SELECT email as user, password, '%w' AS \
>   userdb_mail_crypt_private_password FROM credentials WHERE email = '%u'


More information about the dovecot mailing list