Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Mon Aug 29 13:30:16 UTC 2022
Upon closer review, it seems you're probably right: both users are in
fact marked master_user. How is that possible? I haven't marked new user
as a master_user. Are users marked master_user by default? What's even
more interesting, /etc/dovecot/dovecot-master-users doesn't contain this
user's data. Is it possible to unset this master_user flag somehow? I
browsed through the db in mySQL but wasn't able to locate any
master_users as well. Sorry for being such a noob... :)
On 2022-08-29 11:33, Aki Tuomi wrote:
> Hard to say.
>
> If you are logging is master_user, there will be different password
> than normal user. Usually. With your setup, you can only access user's
> mail if you are using the exact same password that the user was using.
>
> Your logs seem to indicate that you are logging as master_user, so you
> are probably unable to access mails.
>
> Aki
>
>
>> On 29/08/2022 10:51 EEST Serveria Support <support at serveria.com>
>> wrote:
>>
>>
>> Emm, sorry for the confusion, there are two users authenticating -
>> master user "postmaster" and the second user called "test". I have
>> just
>> obfuscated users by replacing usernames with myuser. So no, this
>> shouldn't be the issue.
>>
>> Any other suggestions?
>>
>> On 2022-08-29 10:30, Aki Tuomi wrote:
>> >> On 29/08/2022 09:26 EEST Serveria Support <support at serveria.com>
>> >> wrote:
>> >>
>> >>
>> >> It's a testing install my main goal is to make it work. I will play
>> >> around with password encryption before going live.
>> >>
>> >> I have enabled all possible debugging yet I can's see the value you
>> >> mentioned in the log file. Could you please point me?
>> >>
>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>:
>> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT
>> >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE
>> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1
>> >> AND
>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND
>> >> domain.backupmx=0
>> >> AND domain.active=1
>> >
>> > it's not set here.
>> >
>> >
>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn
>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>:
>> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT
>> >> LOWER('myuser at mydomain.xyz') AS master_user,
>> >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode,
>> >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/',
>> >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=',
>> >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE
>> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1
>> >> AND
>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND
>> >> domain.backupmx=0
>> >> AND domain.active=1
>> >
>> > it's not set here either.
>> >
>> > So. You are doing master user login, and are wondering why user's
>> > password is not available?
>> >
>> > Master user logins are not really compatible with using user's
>> > password as encryption key.
>> >
>> > Aki
>> >
>> >>
>> >> On 2022-08-29 07:56, Aki Tuomi wrote:
>> >> >> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com>
>> >> >> wrote:
>> >> >>
>> >> >>
>> >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user
>> >> >> encryption.
>> >> >>
>> >> >> I have configured mail-crypt plugin as per official guide here:
>> >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>> >> >>
>> >> >> After that I created a user and an encrypted key by running this
>> >> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox
>> >> >> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc)
>> >> >>
>> >> >> I can log in to webmail (and Dovecot) just fine, emails are getting
>> >> >> sent
>> >> >> and delivered. I have also checked the storage and the messages seem
>> >> >> to
>> >> >> be stored encrypted.
>> >> >>
>> >> >> However, I can't read the emails in webmail (just headers can be seen)
>> >> >> and in Dovecot logs I can see the following error:
>> >> >>
>> >> >> failed: Private key not available: Cannot decrypt key ### Cannot
>> >> >> decrypt
>> >> >> key ### <8632: Password not available (FETCH RFC822.HEADER)
>> >> >>
>> >> >> There seems to be an issue with mySQL query. The query I'm using
>> >> >> (Select
>> >> >> username as "user", password,"%w" as
>> >> >> userdb_mail_crypt_private_password
>> >> >> from mailbox;) seems to work just fine, when run from mysql prompt it
>> >> >> outputs the usernames and passwords, but the error is still there
>> >> >> (Cannot decrypt key ### Password not available).
>> >> >>
>> >> >> Any ideas? What am I missing
>> >> >
>> >> > Hi!
>> >> >
>> >> > First of all, it's super-unsafe to use user's password like that as
>> >> > private password, at least run it through SHA256. This prevents
>> >> > dovecot from doing expansions on it by accident.
>> >> >
>> >> > Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and
>> >> > make sure the correct value gets added as
>> >> > 'plugin/mail_crypt_private_password' when using with webmail.
>> >> >
>> >> > Aki
More information about the dovecot
mailing list