<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hi! Dovecot version 2.2.33.2</div> <div> </div> <div>I added folder based encryption with encrypted user keys to my dovecot using the five config lines in the manual:</div> <div><a href="https://wiki2.dovecot.org/Plugins/MailCrypt#Folder_keys" target="_blank">https://wiki2.dovecot.org/Plugins/MailCrypt#Folder_keys</a></div> <div>I also adjusted the database query slightly, as suggested. (MySQL, SHA512 passwords)</div> <div> </div> <div>I found out that I have to either:</div> <div>- manually generate a key using doveadm -o plugin/mail_crypt_private_password=12345 mailbox cryptokey generate -u mail@example.org -URf</div> <div>OR</div> <div>- send an email to the newly generated address. It will end up in the mail queue (postqueue -p) with the error message "mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key"</div> <div>10-30 minutes later, however, a key will have been automatically generated and the email will be delivered.</div> <div> </div> <div>QUESTION 1:Does dovecot use the IMAP login my client performs to grab the password required to generate an encrypted user key? Or did it create an unencrypted key? It definitely seems to be password protected because "doveadm mailbox cryptokey password" will fail setting a new password unless I specify the actual email address password.</div> <div> </div> <div>QUESTION 2: If I change the password in the MySQL database this won't work, because Dovecot will not have access to the old password, correct?</div> <div> </div> <div>Thank you for your time.</div></div></body></html>
Keys are generated when they are needed, so it does require that provisioning step currently Maybe user key could be made on login too...---Aki TuomiDovecot oy -------- Original message --------From: eaerhaerhaehae aehraerhaeha <dovecotquestion at gmx.de> Date: 01/09/2018 13:57 (GMT+02:00) To: dovecot at dovecot.org Subject: Do encrypted user keys self generate? Hi! Dovecot version 2.2.33.2 ? I added? folder based encryption with encrypted user keys to my dovecot using the five config lines in the manual: https://wiki2.dovecot.org/Plugins/MailCrypt#Folder_keys I also adjusted the database query slightly, as suggested. (MySQL, SHA512 passwords) ? I found out that I have to either: - manually generate a key using doveadm -o plugin/mail_crypt_private_password=12345 mailbox cryptokey generate -u mail at example.org -URf OR - send an email to the newly generated address. It will end up in the mail queue (postqueue -p) with the error message "mail_crypt_require_encrypted_user_key set, cannot generate user keypair without password or key" 10-30 minutes later, however, a key will have been automatically generated and the email will be delivered. ? QUESTION 1:Does dovecot use the IMAP login my client performs to grab the password required to generate an encrypted user key? Or did it create an unencrypted key? It definitely seems to be password protected because "doveadm mailbox cryptokey password" will fail setting a new password unless I specify the actual email address password. ? QUESTION 2: If I change the password in the MySQL database this won't work, because Dovecot will not have access to the old password, correct? ? Thank you for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180901/02604a1a/attachment.html>
Possibly Parallel Threads
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- Percent character in mail_crypt_private_password not possible
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- Best mail encryption solution for per-user
- [mail-crypt-plugin] Password Query for Folder Keys questions