Dovecot mail-crypt webmail can't read encrypted messages

Serveria Support support at serveria.com
Sat Oct 8 20:49:35 UTC 2022 

Hi,

I'm here with a follow-up. I have managed to fix this issue!

I have rebuilt the entire project from scratch, using vanilla versions 
of Dovecot, Postfix, SOGO webmail etc and everything works as expected: 
emails are getting encrypted, I'm able to send, receive and read emails 
in webmail. I suspect the root of the issue was that I was using 
software package called iredmail. My guess is that all the master admin 
drama was caused by iredmail. Big thanks to you guys for the hints and 
ideas which eventually helped me troubleshoot this issue! I appreciate 
your assistance.

P.S. Btw, is there any way to hide plain text passwords from Dovecot log 
files? Disabling auth debugging won't help as the system may get 
compromised and the intruder can re-enable logs and grab the passwords 
from the logs. The only person who should know/see the password in clear 
text should be the respective mail user. Is there any way to achieve 
this?

On 2022-09-15 08:16, Aki Tuomi wrote:
>> On 14/09/2022 19:34 EEST Serveria Support <support at serveria.com> 
>> wrote:
>> 
>> 
>> Thanks for your help. Do you know in which folder the keys are stored?
>> I'd like to check the permissions...
>> 
> 
> 
> Some notes here, after reading this thread again:
> 
> - Keys are stored in mail_attributes file, which depends on your
> config, but usually is %h/dovecot-attributes, which means it'll be in
> user's home directory.
> 
> - The key format is Dovecot Dcrypt Key, you can use `doveadm mailbox
> cryptokey export` to export them in PEM format. Only **global keys**
> expect PEM formatted keys, which you are not using.
> 
> - If you are using mail_crypt_private_password to encrypt the user
> key, you will need to provide this every time you want to access the
> user's emails, including using doveadm. Dovecot does not know what
> password you are using.
> 
> - Your logs indicate that you are, still, using master userdb. This
> will not work. You cannot use master users with per-user encryption
> passwords in the way you do. If you want to use master users / master
> password, you must not encrypt the user key.
> 
> - You should really focus on reading your logs, because they really do
> indicate that the userdb_mail_crypt_private_password is not exprted in
> anywhere, so clearly and obviously you are not able to access the
> mails.
> 
> Maybe consider removing the master user authentication completely?
> 
> Aki

More information about the dovecot mailing list