>> I've tried specifying an output file as well, per the script'scommand line options, >> but the output file is 0 bytes.? Does anyone have any suggestions?? I *think* I'm >> using it the way it's intended to be used, but maybe I'm not?! >> -Dave > > Hi! > Maybe the key you tried was not used to encrypt the file? > Aki Aki, it's the same key I've used in the config for the mail_crypt plugin in 90-plugin.conf: plugin { ? mail_crypt_global_private_key = <[PATH_TO_PRIVATE_KEY] ? mail_crypt_global_public_key = <[PATH_TO_PUBLIC_KEY] ? mail_crypt_save_version = 2 } That's the private key that's encrypting all of the messages successfully, so that's the one I would use with script, correct? -Dave
On 9.4.2019 18.15, Dave wrote:> >> I've tried specifying an output file as well, per the script's > command line options, > >> but the output file is 0 bytes.? Does anyone have any suggestions?? > I *think* I'm > >> using it the way it's intended to be used, but maybe I'm not?! > >> -Dave > > > > Hi! > > Maybe the key you tried was not used to encrypt the file? > > Aki > > Aki, it's the same key I've used in the config for the mail_crypt > plugin in 90-plugin.conf: > > plugin { > ? mail_crypt_global_private_key = <[PATH_TO_PRIVATE_KEY] > ? mail_crypt_global_public_key = <[PATH_TO_PUBLIC_KEY] > ? mail_crypt_save_version = 2 > } > > That's the private key that's encrypting all of the messages > successfully, so that's the one I would use with script, correct? > -Dave >Yes. I gave it a try here, and it seems to work. Does it give any extra information if you include -i flag? Aki
On 4/10/2019 1:32 AM, Aki Tuomi wrote:> On 9.4.2019 18.15, Dave wrote: >>>> I've tried specifying an output file as well, per the script's >> command line options, >>>> but the output file is 0 bytes.? Does anyone have any suggestions? >> I *think* I'm >>>> using it the way it's intended to be used, but maybe I'm not?! >>>> -Dave >>> Hi! >>> Maybe the key you tried was not used to encrypt the file? >>> Aki >> Aki, it's the same key I've used in the config for the mail_crypt >> plugin in 90-plugin.conf: >> >> plugin { >> ? mail_crypt_global_private_key = <[PATH_TO_PRIVATE_KEY] >> ? mail_crypt_global_public_key = <[PATH_TO_PUBLIC_KEY] >> ? mail_crypt_save_version = 2 >> } >> >> That's the private key that's encrypting all of the messages >> successfully, so that's the one I would use with script, correct? >> -Dave >> > Yes. I gave it a try here, and it seems to work. Does it give any extra > information if you include -i flag? > > Aki >Yes, I had tried that, and it doesn't give much extra information, at least to my eye, that seems to help my issue.? Above the previous output it outputs the Version, Flags, Header length, Cipher algo, and Digest algo, and then the Key derivation Rounds.? Then it does the previous output and exits as before. I tried using pry to debug through the script a little, and strace as well, but have not found anything pointing me in the direction of a solution or what may be causing it not to work for me yet.? Will keep looking. Out of curiosity, what version of ruby were you using to run the script?? My ruby version is 2.5.1p57. -Dave
Martin Stenzel
2023-Apr-10 12:37 UTC
https://www.mail-archive.com/dovecot@dovecot.org/msg77000.html
Hi team,
regarding:
https://www.mail-archive.com/dovecot at dovecot.org/msg77000.html
I have the very same problem.
terve:/tmp #decrypt.rb -k /etc/dovecot/mailcrypt/ecpubkey.pem -f
./1681118363....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S
Key(s) (total: 1)
?- Key type ?: EC
?- Key digest: a27b201cf7f59f...
?- Peer key ?: 04aaca0143208904deced2732aaa...
?- Encrypted : 4cde641bff16098b91bfaf66...
?- Kd hash ??: 9e229ec6c0...
terve:/tmp #decrypt.rb -k /etc/dovecot/mailcrypt/ecprivkey.pem -f
./16811....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S
Key(s) (total: 1)
?- Key type ?: EC
?- Key digest: a27b201cf7f59f978bb9b27947f60a9...
?- Peer key ?: 04aaca0143208904deced2732aaaf127...
?- Encrypted : 4cde641bff16098b91bfaf66c9...
?- Kd hash ??: 9e229ec6c09...
terve:/tmp #decrypt.rb -i -k /etc/dovecot/mailcrypt/ecprivkey.pem -f
./1681118...terve.xy-space.de\,S\=3452\,W\=3515\:2
\,S
Version ??????: 2
Flags ????????: AEAD integrity
Header length : 255
Cipher algo ??: aes-256-gcm (2.16.840.1.101.3.4.1.46)
Digest algo ??: sha256 (2.16.840.1.101.3.4.2.1)
Key derivation
?- Rounds ???: 2048
...
N. B. Before posting I arbitrarily removed numbers from the output,
maybe paranoid...
Environment:
openSuSE Linux server.
dovecot version 2.3.20
openssl version 1.1.1
ruby version 3.1.2p20
decrypt.rb version
https://gist.github.com/cmouse/882f2e2a60c1e49b7d343f5a6a2721de
This is the way I generated the keys:
openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
This is the 10-mailcrypt.conf:
mail_plugins = $mail_plugins mail_crypt
plugin {
???#fts_index_fs =
crypt:set_prefix=fscrypt_index:posix:set_prefix=/tmp/fts
???mail_crypt_global_private_key = </etc/dovecot/mailcrypt/ecprivkey.pem
???mail_crypt_global_public_key = </etc/dovecot/mailcrypt/ecpubkey.pem
???mail_crypt_save_version = 2
}
Encryption of incoming (thanks to dovecot-lda), as well as outgoing
mails works perfectly.
But for me it is more a feature than a bug, since now, even as root I am
not able to decrypt users mails.
This serves plausible deniability.
But how can I make sure, that NOBODY ELSE can decrypt with this specific
private key?
Is there ANY OTHER way to decrypt the mails besides the script?
Have a nice Monday, and THANKS for taking your time!
Martin, Cologne
P. S. Did you notice, that as an argument (-k) the results are the same,
both with private and public key?
P.P.S. If i give the "-w" argument and a file name, the file remains
empty, tried even that without success.
P.P.P.S. If I call the script with ruby version 2 it bails out...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20230410/44bd3a2b/attachment.htm>