System installed : Dovecot 2.2.12 as IMAP server and Postfix as MTA.
Dovecot and Postfix connected via LMTP
+ Dovecot mail plugin 'mail-filter' to encrypt/decrypt emails on the fly
with public/private users' RSA keys.
Case study :
You have 3 (virtuals) users belonging to 3 different domains, all
managed by your Dovecot server.
One of these users is connected to Dovecot with MUA Thunderbird, and
he's writing an email to someone outside of yours domains, but he puts
the two others users' email addresses in CC :
mail from user1 at domain1.dovecot --> to: someone at outside, CC:
user2 at domain2.dovecot, user3 at domaine3.dovecot
What happens (as far as I can understand) :
The email is submitted to Postfix : one copy is delivered outside, the
other is passed to Dovecot via LMTP for user2 & user3 @dovecot
Dovecot is handling the final delivery, through mail-filter plugin as
follow :
1. both users contexts are created from user_db queries
2. mail-filter plugin is init for user2
3. /mail_user_created/ for user2
4. mai-filter plugin arguments are parsed for user2
5. ???/mail_allocated/ then /mail_save_begin/ for user2 (at this stage,
the email is encrypted with users2 params)
6. Dovecot tells to LMTP that mail for user2 is delivered
7. then, ??? we are still in user2 context ???, an other
/mail_allocated/ is run, followed by a /istream_opened/
8. mail user context is swithed to user3 --> /mail_user_created/ -->
plugin's args parsed --> ??? /mail_allocated/
9. and??? Dovecot tells to LMTP that mail for user3 is delivered
So, it appears that Dovecot is re-using user2's email to pass it to
user3 by opening an istream in user2's context. In my configuration,
Dovecot can't do that because it has not the user2's private rsa key to
reopen the email it has just encrypted, so it passes the email to user3
with user2 encryption params.
Final result : user3 is receiving the email encrypted with user2's rsa key !
Problem : how to force Dovecot to deinit then reinit mail-filter plugin
for each user to be sure that each email is encrypted with the right key
before it is saved to users' mailboxes ?
Thank you in advance for your help.
Stan.
Le 24 mai 2014 ? 18:14, Stanislas SABATIER a ?crit :> System installed : Dovecot 2.2.12 as IMAP server and Postfix as MTA. > Dovecot and Postfix connected via LMTP > + Dovecot mail plugin 'mail-filter' to encrypt/decrypt emails on the fly > with public/private users' RSA keys. > > [...] > Final result : user3 is receiving the email encrypted with user2's rsa key !Hello Stanislas, All of this sounds a bit "bizarre", not to say frightening... To avoid any ambiguity, could you post the output of doveconf -n? As well your encryption and decryption scripts? And tell us how postfix is configured wrt LMTP?> Problem : how to force Dovecot to deinit then reinit mail-filter plugin > for each user to be sure that each email is encrypted with the right key > before it is saved to users' mailboxes ?There could perhaps be a (temporary) workaround at Postfix's level, by limiting the number of recipients? Axel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 24 May 2014, Stanislas SABATIER wrote:> Dovecot is handling the final delivery, through mail-filter plugin as > follow : > > 1. both users contexts are created from user_db queries > 2. mail-filter plugin is init for user2 > 3. /mail_user_created/ for user2 > 4. mai-filter plugin arguments are parsed for user2 > 5. â?¦/mail_allocated/ then /mail_save_begin/ for user2 (at this stage, > the email is encrypted with users2 params) > 6. Dovecot tells to LMTP that mail for user2 is delivered > 7. then, â?? we are still in user2 context â??, an other > /mail_allocated/ is run, followed by a /istream_opened/ > 8. mail user context is swithed to user3 --> /mail_user_created/ --> > plugin's args parsed --> â?¦ /mail_allocated/ > 9. andâ?¦ Dovecot tells to LMTP that mail for user3 is delivered > > So, it appears that Dovecot is re-using user2's email to pass it to > user3 by opening an istream in user2's context. In my configuration, > Dovecot can't do that because it has not the user2's private rsa key to > reopen the email it has just encrypted, so it passes the email to user3 > with user2 encryption params. > Final result : user3 is receiving the email encrypted with user2's rsa key ! > > Problem : how to force Dovecot to deinit then reinit mail-filter plugin > for each user to be sure that each email is encrypted with the right key > before it is saved to users' mailboxes ?If your observation are true, you cannot. I sligthly remember a discussion about a plugin, that changes the message content. Timo answered that with "that is not supported". Also, see: http://wiki2.dovecot.org/Plugins/MailFilter "(TODO: Modifying the mail during writing would be possible with some code changes.) " in first paragraph. Encrypting the message is "to modify the mail" IMHO. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU5BdM3z1H7kL/d9rAQJk9ggAotNs87I4IbLwWQEcX9Rt3NGmwxzDfcMF B5z9/O2C/xv3Kp4FVS5rGg1j1g4fQKVyhDvSaJ3ClrN5M1OyFRa8bqvM2sQ8ID88 TcU6HVDvE4SjL85rpUogvOJhkrhIjpd2Kj+X3AcuxdOAerXg5cK9b5ATH1FeS2RT vyrWLcDXZuaZS36aCgiCMm0UBT3hAWGZAlJEm5x2Fyi3uIHbyT57rxLTXekhtmOA hw+oOUXfaTSOGMb4F9XK6dfWz8ss2jdmADL2RYiCzU/5DPoBWdL8nRs2lHRA+e+h E6lIbHu38NW0fEUGxJmL7LpvMgAIpHL6Mi7P7zHJ9iignJHnSTccIw==Yn7c -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 24 May 2014, Stanislas SABATIER wrote:> Dovecot is handling the final delivery, through mail-filter plugin as > follow : > > 1. both users contexts are created from user_db queries > 2. mail-filter plugin is init for user2 > 3. /mail_user_created/ for user2 > 4. mai-filter plugin arguments are parsed for user2 > 5. ???/mail_allocated/ then /mail_save_begin/ for user2 (at this stage, > the email is encrypted with users2 params) > 6. Dovecot tells to LMTP that mail for user2 is delivered > 7. then, ??? we are still in user2 context ???, an other > /mail_allocated/ is run, followed by a /istream_opened/ > 8. mail user context is swithed to user3 --> /mail_user_created/ --> > plugin's args parsed --> ??? /mail_allocated/ > 9. and??? Dovecot tells to LMTP that mail for user3 is delivered > > So, it appears that Dovecot is re-using user2's email to pass it to > user3 by opening an istream in user2's context. In my configuration, > Dovecot can't do that because it has not the user2's private rsa key to > reopen the email it has just encrypted, so it passes the email to user3 > with user2 encryption params. > Final result : user3 is receiving the email encrypted with user2's rsa key ! > > Problem : how to force Dovecot to deinit then reinit mail-filter plugin > for each user to be sure that each email is encrypted with the right key > before it is saved to users' mailboxes ?If your observation are true, you cannot. I sligthly remember a discussion about a plugin, that changes the message content. Timo answered that with "that is not supported". Also, see: http://wiki2.dovecot.org/Plugins/MailFilter "(TODO: Modifying the mail during writing would be possible with some code changes.) " in first paragraph. Encrypting the message is "to modify the mail" IMHO. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU5BdM3z1H7kL/d9rAQJk9ggAotNs87I4IbLwWQEcX9Rt3NGmwxzDfcMF B5z9/O2C/xv3Kp4FVS5rGg1j1g4fQKVyhDvSaJ3ClrN5M1OyFRa8bqvM2sQ8ID88 TcU6HVDvE4SjL85rpUogvOJhkrhIjpd2Kj+X3AcuxdOAerXg5cK9b5ATH1FeS2RT vyrWLcDXZuaZS36aCgiCMm0UBT3hAWGZAlJEm5x2Fyi3uIHbyT57rxLTXekhtmOA hw+oOUXfaTSOGMb4F9XK6dfWz8ss2jdmADL2RYiCzU/5DPoBWdL8nRs2lHRA+e+h E6lIbHu38NW0fEUGxJmL7LpvMgAIpHL6Mi7P7zHJ9iignJHnSTccIw==Yn7c -----END PGP SIGNATURE-----
Le 05/06/2014 14:06, Steffen Kaiser a ?crit :> If your observation are true, you cannot. I sligthly remember a > discussion about a plugin, that changes the message content. Timo > answered that with "that is not supported". Also, see: > > http://wiki2.dovecot.org/Plugins/MailFilter > > "(TODO: Modifying the mail during writing would be possible with some > code changes.) " in first paragraph. > > Encrypting the message is "to modify the mail" IMHO. > > -- Steffen KaiserHello Steffen, I do encrypt/decrypt email on-the-fly for months now with the help of mail-filter plugin. It works perfectly as long as the decrypted email is exactly as it was before it was encrypted, which is the case with my bespoke encrypt/decrypt programs. That is not the point I raised in this thread. The point is that, in a specific circumstance, Dovecot is trying to read an email that has been encrypted without having the user this email belongs to authenticated. Regards, Stan.