dovecot - Mar 2019 - MailCrypt: Encrypted user keys configuration with LDAP & cryptokey generate

Hi, I try to use the MailCrypt plugin with Floder encryption and
encrypted user keys, using LDAP. I use Dovecot 2.2.27 (c0f36b0)
I follow the wiki: https://wiki2.dovecot.org/Plugins/MailCrypt

doveconf -n and dovecot-ldap.conf.ext attached to this message.

I well configured slapd to let dovecot's dn query the userPassword
(hashed password SSHA). I use fusiondirectory-mail plugin:

------------------------------------------------------------------------
$ ldapsearch -D 'cn=dovecot,ou=dsa,dc=foo,dc=bar' -W -LLL
'(&(objectClass=gosaMailAccount)(objectClass=posixAccount)(uid=<user>))'
'userPassword'
dn: cn=<user>,ou=people,dc=foo,dc=bar
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
------------------------------------------------------------------------

The problem is that mails still readable and no keys are generated, even
if a send a mail to this address, or login through webmail. I wait more
than 1h until something happens, Cf:
https://dovecot.org/list/dovecot/2018-September/112763.html

If I try to generate keys manually I get this error:

------------------------------------------------------------------------
$ doeveadm mailbox cryptokey generate -u <user>
doveadm(<user>): Error: mail_crypt_user_generate_keypair(<user>)
failed: mail_crypt_require_encrypted_user_key set, cannot generate user keypair
without password or key
   Folder Public ID
x         ERROR: mail_crypt_require_encrypted_user_key set, cannot generate user
keypair without password or key
doveadm(<user>): Warning: Timeout leak: 0x7f0c439c0180
(mail-index-alloc-cache.c:240)
------------------------------------------------------------------------

It works with -o plugin/mail_crypt_private_password=<password> of
course, but by hand it's not the goal ><

I probably miss something, I guess that the part of the wiki about sql
and password_query is only for configuration that use SQL for dbuser. Is
there similar things to do with LDAP?

Thank you very much for your time.

-- 
f00wl
FELINN https://felinn.org

Here are attachments.

-- 
f00wl
FELINN https://felinn.org
-------------- next part --------------
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.15.18-9-pve x86_64 Debian 9.8
auth_username_format = %n
auth_verbose = yes
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_trusted_networks = 192.168.10.100/24
mail_attribute_dict = file:%h/mail/dovecot-attributes
mail_location = mbox:~/mail
mail_plugins = quota quota fts fts_squat mail_crypt
namespace inbox {
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix }
passdb {
  args = /etc/dovecot/conf.d/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  driver = pam
}
plugin {
  mail_crypt_curve = secp521r1
  mail_crypt_require_encrypted_user_key = yes
  mail_crypt_save_version = 2
  quota = fs:User quota:user
  quota2 = fs:Disk quota
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp
service lmtp {
  inet_listener lmtp {
    port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
}
shutdown_clients = no
ssl_cert = </etc/dovecot/ssl/imap.felinn.org.crt
ssl_key =  # hidden, use -P to show it
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/conf.d/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  driver = passwd
}
protocol lmtp {
  mail_plugins = quota quota fts fts_squat quota sieve
  postmaster_address = contact at felinn.org
}
protocol lda {
  mail_plugins = quota quota fts fts_squat sieve
}
protocol imap {
  mail_plugins = quota quota fts fts_squat imap_quota
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dovecot-ldap.conf.ext
Type: application/vnd.novadigm.ext
Size: 652 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190328/a11708f9/attachment.bin>