<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I have been using postfix+dovecot successfully for a while now
until I tried mail crypt plugin lately. I tried what is describe
here
<a class="moz-txt-link-freetext" href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a>
and I went for global-keys as described here:
<a class="moz-txt-link-freetext" href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys</a><br>
<i>"A good solution for environments where no user folder sharing
is needed is to generate per-user EC key pair and encrypt that
with something derived from user’s password."</i><br>
<br>
I am setting mail_crypt_global_private_key,
mail_crypt_global_public_key, mail_crypt_save_version from
user_query and userdb_mail_crypt_global_private_key_password from
password_query. mail_crypt seems to work fine in imap (I saved a
message as draft and it is stored encrypted on the disk), but lmtp
complains about "mail_crypt_global_private_key_password unset, no
password to decrypt the key" As you can see below in logs that it
was able to set all other mail_crypt_ configurations successfully
from user_query. However, the password is provided via
password_query and I assume lmtp does not read password_query. How
else can I provide a password in lmtp? Is my approach correct to
begin with?<br>
<br>
-- Dovecot Configurations --<br>
# using doveconf -n<br>
# 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf<br>
# Pigeonhole version 0.5.19 (4eae2f79)<br>
# OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS <br>
# Hostname: mailserver-dovecot-7c9ff7b94b-8ldrr<br>
auth_mechanisms = plain login<br>
auth_verbose = yes<br>
auth_verbose_passwords = yes<br>
debug_log_path = /dev/stdout<br>
haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24
10.10.30.0/24 172.17.0.1/16<br>
hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local<br>
info_log_path = /dev/stdout<br>
listen = *<br>
log_path = /dev/stdout<br>
mail_debug = yes<br>
mail_gid = 1000<br>
mail_home = /var/vmail/mailboxes/%d/%n<br>
mail_location = maildir:~/:LAYOUT=fs<br>
mail_plugins = quota mail_crypt<br>
mail_privileged_group = mail<br>
mail_uid = 1000<br>
managesieve_notify_capability = mailto<br>
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapsieve vnd.dovecot.imapsieve<br>
namespace inbox {<br>
inbox = yes<br>
location = <br>
mailbox Drafts {<br>
auto = subscribe<br>
special_use = \Drafts<br>
}<br>
mailbox Sent {<br>
auto = subscribe<br>
special_use = \Sent<br>
}<br>
mailbox "Sent Messages" {<br>
special_use = \Sent<br>
}<br>
mailbox Spam {<br>
auto = subscribe<br>
autoexpunge = 30 days<br>
special_use = \Junk<br>
}<br>
mailbox Trash {<br>
auto = subscribe<br>
autoexpunge = 30 days<br>
special_use = \Trash<br>
}<br>
prefix = <br>
}<br>
passdb {<br>
args = /etc/dovecot/dovecot-sql.conf.ext<br>
driver = sql<br>
}<br>
plugin {<br>
imapsieve_mailbox1_before =
<a class="moz-txt-link-freetext" href="file:/var/vmail/sieve/global/learn-spam.sieve">file:/var/vmail/sieve/global/learn-spam.sieve</a><br>
imapsieve_mailbox1_causes = COPY APPEND FLAG<br>
imapsieve_mailbox1_name = Spam<br>
imapsieve_mailbox2_before =
<a class="moz-txt-link-freetext" href="file:/var/vmail/sieve/global/learn-ham.sieve">file:/var/vmail/sieve/global/learn-ham.sieve</a><br>
imapsieve_mailbox2_causes = COPY APPEND FLAG<br>
imapsieve_mailbox2_from = Spam<br>
imapsieve_mailbox2_name = *<br>
mail_crypt_save_version = 0<br>
quota = maildir:User quota<br>
quota_exceeded_message = User %u has exhausted allowed storage
space.<br>
quota_rule = Junk:ignore<br>
quota_rule2 = Trash:storage=+100M<br>
quota_warning = storage=90%% quota-warning 90 %u %d<br>
quota_warning2 = storage=80%% quota-warning 80 %u %d<br>
sieve = <a class="moz-txt-link-freetext" href="file:~/sieve;active=~/.dovecot.sieve">file:~/sieve;active=~/.dovecot.sieve</a><br>
sieve_before = /var/vmail/sieve/global/spam-global.sieve<br>
sieve_global = /var/vmail/sieve/global/<br>
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug<br>
sieve_pipe_bin_dir = /var/vmail/sieve/global<br>
sieve_plugins = sieve_imapsieve sieve_extprograms<br>
}<br>
protocols = " imap lmtp sieve pop3"<br>
service auth {<br>
inet_listener {<br>
port = 25252<br>
}<br>
}<br>
service imap-login {<br>
inet_listener imap {<br>
haproxy = yes<br>
}<br>
inet_listener imaps {<br>
haproxy = yes<br>
ssl = yes<br>
}<br>
}<br>
service lmtp {<br>
executable = lmtp -L<br>
inet_listener lmtp {<br>
address = 0.0.0.0<br>
port = 24<br>
}<br>
}<br>
service managesieve-login {<br>
inet_listener sieve {<br>
port = 4190<br>
}<br>
}<br>
service pop3-login {<br>
inet_listener pop3 {<br>
haproxy = yes<br>
}<br>
inet_listener pop3s {<br>
haproxy = yes<br>
}<br>
}<br>
ssl = required<br>
ssl_cert = </etc/dovecot/certs/tls.crt<br>
ssl_client_ca_dir = /etc/ssl/certs<br>
ssl_key = # hidden, use -P to show it<br>
ssl_prefer_server_ciphers = yes<br>
userdb {<br>
args = /etc/dovecot/dovecot-sql.conf.ext<br>
driver = sql<br>
}<br>
protocol lmtp {<br>
info_log_path = /dev/stdout<br>
log_path = /dev/stdout<br>
mail_plugins = quota mail_crypt sieve<br>
postmaster_address = <hidden><br>
}<br>
protocol imap {<br>
mail_plugins = quota mail_crypt quota imap_quota imap_sieve<br>
}<br>
-- Dovecot Configurations Ends --<br>
<br>
-- Password Query --<br>
password_query = \<br>
SELECT username, domain, password, \<br>
'%{sha256:password}' AS
userdb_mail_crypt_global_private_key_password \<br>
FROM mailbox \<br>
WHERE username='%u';<br>
-- Password Query Ends--<br>
<br>
-- User Query --<br>
user_query = SELECT CONCAT('*:bytes=', 1024) as quota_rule, \<br>
private_key AS mail_crypt_global_private_key, \<br>
public_key AS mail_crypt_global_public_key, \<br>
mail_crypt_save_version AS mail_crypt_save_version \<br>
FROM mailbox \<br>
WHERE username='%u';<br>
-- User Query Ends --<br>
<br>
-- Debug Logs --<br>
--- Load Inbox ---<br>
imap-login: Info: Login: user=<a class="moz-txt-link-rfc2396E" href="mailto:someone@example.com"><someone@example.com></a>,
method=PLAIN, rip=192.168.49.1, lip=192.168.49.2, mpid=241, TLS,
session=<oaoI9sLxVKXAqDEB><br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Loading modules from directory: /usr/lib/dovecot/modules<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Module loaded:
/usr/lib/dovecot/modules/lib10_quota_plugin.so<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Module loaded:
/usr/lib/dovecot/modules/lib11_imap_quota_plugin.so<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Module loaded:
/usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Added userdb setting:
plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Added userdb setting:
plugin/mail_crypt_global_private_key_password=<hidden><br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Added userdb setting:
plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Added userdb setting: plugin/mail_crypt_save_version=2<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Added userdb setting: plugin/quota_rule=*:bytes=1024000000<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Effective uid=1000, gid=1000,
home=/var/vmail/mailboxes/example.com/someone<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: mail_crypt_plugin: mail_crypt_curve setting missing -
generating EC keys disabled<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Quota root: name=User quota backend=maildir args=<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Quota rule: root=User quota mailbox=* bytes=1024000000
messages=0<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Quota rule: root=User quota mailbox=Trash bytes=+104857600
messages=0<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Quota warning: bytes=921600000 (90%) messages=0 reverse=no
command=quota-warning 90 <a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a> example.com<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Quota warning: bytes=819200000 (80%) messages=0 reverse=no
command=quota-warning 80 <a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a> example.com<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Quota grace: root=User quota bytes=102400000 (10%)<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: open(/proc/self/io) failed: Permission denied<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes,
hidden=no, list=yes, subscriptions=yes
location=maildir:~/:LAYOUT=fs<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: fs: root=/var/vmail/mailboxes/example.com/someone, index=,
indexpvt=, control=,
inbox=/var/vmail/mailboxes/example.com/someone, alt=<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: quota: quota_over_flag check: quota_over_script unset -
skipping<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<241><oaoI9sLxVKXAqDEB>:
Debug: Mailbox INBOX: Mailbox opened<br>
--- Load Inbox Ends ---<br>
--- Lmtp ---<br>
lmtp(248): Info: Connect from 172.17.0.1<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: auth-master: userdb lookup(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>): Started
userdb lookup<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb:
Connecting<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb
(pid=143,uid=0): Client connected (fd=18)<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<247><WlggG8PxEOvAqDEB>:
Debug: Mailbox Sent: Purging (new file_seq=1673195172): creating
cache<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<247><WlggG8PxEOvAqDEB>:
Debug: Mailbox Sent: Purging finished, file_seq changed 0 ->
1673195172, size=0 -> 388, max_uid=0<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: auth-master: userdb lookup(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>): auth USER
input: <a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a> quota_rule=*:bytes=1024000000
mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
mail_crypt_save_version=2<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: auth-master: userdb lookup(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>): Finished
userdb lookup (<a class="moz-txt-link-abbreviated" href="mailto:username=someone@example.com">username=someone@example.com</a>
quota_rule=*:bytes=1024000000
mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K
mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==
mail_crypt_save_version=2)<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Added userdb setting:
plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<247><WlggG8PxEOvAqDEB>:
Debug: duplicate db: Initialize<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Added userdb setting:
plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg==<br>
imap(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<247><WlggG8PxEOvAqDEB>:
Debug: sieve: Pigeonhole version 0.5.19 (4eae2f79) initializing<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Added userdb setting:
plugin/mail_crypt_save_version=2<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Added userdb setting:
plugin/quota_rule=*:bytes=1024000000<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Effective uid=1000, gid=1000,
home=/var/vmail/mailboxes/example.com/someone<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: mail_crypt_plugin: mail_crypt_curve setting
missing - generating EC keys disabled<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Quota root: name=User quota backend=maildir
args=<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Quota rule: root=User quota mailbox=*
bytes=1024000000 messages=0<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Quota rule: root=User quota mailbox=Trash
bytes=+104857600 messages=0<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Quota warning: bytes=921600000 (90%)
messages=0 reverse=no command=quota-warning 90 <a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>
example.com<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Quota warning: bytes=819200000 (80%)
messages=0 reverse=no command=quota-warning 80 <a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>
example.com<br>
lmtp(<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>)<248><e2dcD6TuumP4AAAALzF/Qw>:
Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Quota grace: root=User quota bytes=102400000
(10%)<br>
lmtp(248): Error: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt
<a class="moz-txt-link-abbreviated" href="mailto:someone@example.com">someone@example.com</a>: Failed to initialize user: mail_crypt_plugin:
mail_crypt_global_private_key:
mail_crypt_global_private_key_password unset, no password to
decrypt the key<br>
lmtp(248): Info: Disconnect from 172.17.0.1: Logged out
(state=READY)<br>
--- Lmtp Ends ---<br>
-- Debug Logs Ends --<br>
</p>
<p>Thanks<br>
Baljeet Bhinder<br>
</p>
</body>
</html>