<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
It's a known issue that the password will be set to silly value, most likely 'yes'.
</div>
<div>
<br>
</div>
<div>
You should generate the user key during provisioning with `doveadm cryptokey generate -Uu user -n password`.
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div>
On 08/12/2019 16:22
<a href="mailto:uxqex4efpu@elude.in">uxqex4efpu@elude.in</a> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
Technically creating and encrypting folder key does not
</div>
<div>
require decrypting user's private key. All folder keys
</div>
<div>
are encrypted with user's public key.
</div>
</blockquote>
<div>
Problem is for that this is a new user. The new user has no private key. I
</div>
<div>
need for generating that private key. It do not the sense encrypts
</div>
<div>
something using a key public if there is no private key. Both key public
</div>
<div>
and private is mathematically related and have to be created together. I
</div>
<div>
am using the wrong command for creating the main user encrypted EC private
</div>
<div>
key?
</div>
<div>
<br>
</div>
<div>
Directing my question primary: it is any way to have the dovecot executes
</div>
<div>
a bash script in the time of the mailbox created (lda_mailbox_autocreate)?
</div>
<div>
<br>
</div>
<div>
Also, I notice extra behavior when I do:
</div>
<div>
<br>
</div>
<div>
1. I creates user in mysql database
</div>
<div>
2. I confirms it not exists mailbox for user
</div>
<div>
3. I confirms it not exists cryptokeys for user
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
</div>
<div>
Folder Active Public ID
</div>
<div>
root@localhost:/var/vmail#
</div>
</blockquote>
<div>
4. Before create mailbox or cryptokeys for user, I send mail from exist
</div>
<div>
user to new user
</div>
<div>
5. Postfix Delivers mail to dovecot
</div>
<div>
6. The dovecot accepts mail for new user and create mailbox automatically
</div>
<div>
(lda_mailbox_autocreate)
</div>
<div>
7. I check and see that dovecot creates key of user
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
</div>
<div>
Folder Active Public ID
</div>
<div>
yes XYZ
</div>
<div>
root@localhost:/var/vmail#
</div>
</blockquote>
<div>
How the possible??? I have put in settings of mail-crypt that keys of user
</div>
<div>
have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
</div>
<div>
supply no key! How the dovecot creates main user encrypted public/private
</div>
<div>
EC keypair without key of encryption given?
</div>
<div>
<br>
</div>
<div>
I confirm that element of post for 'newuser' is encrypted, but of course I
</div>
<div>
can no decrypt the mail. I achieve error:
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
</div>
<div>
failed...Private key not available: Cannot decrypt key XYZ
</div>
</blockquote>
<div>
No well for executing generateKeys.sh on user first login. What if the
</div>
<div>
user receives email before first login? How I execute generateKeys.sh on
</div>
<div>
create of mailbox and how I do emails incoming without any keypair
</div>
<div>
created? For to reject or queue or save unencrypted until I generate
</div>
<div>
keypair? It possible?
</div>
<div>
<br>
</div>
<div>
On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
</div>
<div>
>
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
Technically creating and encrypting folder key does not require
</div>
<div>
decrypting user's private key. All folder keys are encrypted with user's
</div>
<div>
public key.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Aki
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
</div>
</blockquote>
<div>
<a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
</div>
<blockquote type="cite">
<div>
wrote:
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
What it is way most best for causing bash script run (as root) of time
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
mailbox created (lda_mailbox_autocreate)?
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
I use dovecot 2.3.4.1 in Debian 10.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
And I use of mail-crypt-plugin
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
<a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/" rel="noopener" target="_blank">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a>
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
I setup mail-crypt for requiring user encrypted EC key
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
encrypt EC key using client plaintext password. There is credential no
</div>
</blockquote>
<blockquote type="cite">
<div>
stored on server. But for user with use password too bad, I concatenate
</div>
</blockquote>
<blockquote type="cite">
<div>
user plaintext password with random salt. And then string to SHA512()
</div>
<div>
hash
</div>
</blockquote>
<blockquote type="cite">
<div>
and use as decryption key (mail_crypt_private_password) for EC private
</div>
</blockquote>
<blockquote type="cite">
<div>
key.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
For above I have plugin config
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
mail_plugins = $mail_plugins mail_crypt
</div>
</blockquote>
<blockquote type="cite">
<div>
plugin {
</div>
</blockquote>
<blockquote type="cite">
<div>
mail_crypt_curve = secp256k1
</div>
</blockquote>
<blockquote type="cite">
<div>
mail_crypt_require_encrypted_user_key = yes
</div>
</blockquote>
<blockquote type="cite">
<div>
mail_crypt_save_version = 2
</div>
</blockquote>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
And for returning userdb_mail_crypt_private_password, I have sql query
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
password_query = SELECT username, password, \
</div>
</blockquote>
<blockquote type="cite">
<div>
SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
FROM virtual_users WHERE username='%u';
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
But how I generate key of user automatically? Note for generating key of
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
user, I need user password plaintext. I never save plaintext password of
</div>
</blockquote>
<blockquote type="cite">
<div>
user of the server.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Also user of note creates in PHP of web of the server. And for security I
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
</div>
</blockquote>
<blockquote type="cite">
<div>
leaving PHP doveadm access!
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
For solving subject to generate user key encrypted, I do imap of call of
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
the service 'imap-postlogin' the service likes document "Post-login
</div>
</blockquote>
<blockquote type="cite">
<div>
scripting' write
</div>
</blockquote>
<blockquote type="cite">
<div>
<a href="https://doc.dovecot.org/admin_manual/post_login_scripting/" rel="noopener" target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/</a>
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
And 'imap-postlogin' execute my custom script with 'script-login' binary
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
<a href="https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05" rel="noopener" target="_blank">https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05</a>
</div>
<div>
3533/src/util/script-login.c
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Here it is config for above
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
service imap {
</div>
</blockquote>
<blockquote type="cite">
<div>
executable = imap imap-postlogin
</div>
</blockquote>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
service imap-postlogin {
</div>
</blockquote>
<blockquote type="cite">
<div>
executable = script-login /usr/local/bin/generateKeys.sh
</div>
</blockquote>
<blockquote type="cite">
<div>
unix_listener imap-postlogin {
</div>
</blockquote>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
And generateKeys.sh it is script simple for generating keys with sha256()
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
</div>
</blockquote>
<blockquote type="cite">
<div>
automatically put of 'userdb_mail_crypt_private_password' return of mysql
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
field of query when documented
</div>
</blockquote>
<blockquote type="cite">
<div>
<a href="https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun" rel="noopener" target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun</a>
</div>
<div>
dings
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Fields returned by userdb lookup with their keys uppercased
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
(e.g. if userdb returned home, it's stored in HOME).
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
Here generatekeys.sh
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
#!/bin/bash
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >
</div>
</blockquote>
<blockquote type="cite">
<div>
/dev/null | wc -l` -lt 2 ]; then
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
/usr/bin/doveadm -o
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
mailbox cryptokey generate -u "${USER}" -U > /dev/null
</div>
</blockquote>
<blockquote type="cite">
<div>
fi
</div>
</blockquote>
<blockquote type="cite">
<div>
exec "$@"
</div>
</blockquote>
<blockquote type="cite">
<div>
This work! But I want more good. By why execute each login? Possible has
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
generateKeys.sh execute in the times only of dovecot create mailbox
</div>
</blockquote>
<blockquote type="cite">
<div>
(lda_mailbox_autocreate) instead?
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
---
</div>
</blockquote>
<div>
Aki Tuomi
</div>
<div>
>
</div>
<div>
>
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>