Do I have to replace the "password" part with the actual password or can I just copy it like that? Will dovecot create the keypair automatically or do I have to use doveadm? 4. Sep. 2019, 08:33 von aki.tuomi at open-xchange.com:> > > > On 4.9.2019 9.21, **** **** via dovecot wrote: > >> Hello there, >> >> is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value? >> >> I'm using a passwd file for authentication. >> >> I feel uncomfortable saving the private password in plaintext in that file. >> >> Regards >> > > > > > You can try in passdb return > > > userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} > > > Aki > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/0bb9ee11/attachment-0001.html>
It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient. To avoid this, you should probably have protocol imap { ??? passdb { ????? driver = static ????? args userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} } and initialize the keypair using doveadm and set the password to this value there. This requires some user management tools though so that the password is changed with doveadm when user changes? their password. Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/ for details. Key management is pretty much the most difficult thing in mail crypt plugin =) Aki On 4.9.2019 9.40, info--- via dovecot wrote:> Do I have to replace the "password" part with the actual password or > can I just copy it like that? > > Will dovecot create the keypair automatically or do I have to use doveadm? > > > 4. Sep. 2019, 08:33 von aki.tuomi at open-xchange.com: > > > On 4.9.2019 9.21, **** **** via dovecot wrote: >> Hello there, >> >> is there a way to make the mailcrypt plugin use the user's >> password or at least store it in a hashed value? >> >> I'm using a passwd file for authentication. >> >> I feel uncomfortable saving the private password in plaintext in >> that file. >> >> Regards > > > You can try in passdb return > > userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} > > Aki > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/6d88b5ae/attachment.html>
Is any of the password schemes supported or is there a reason you chose pkcs5? 4. Sep. 2019, 08:45 von aki.tuomi at open-xchange.com:> > It should pick up the password used by the user, there is a caveat here though. The keypair is created on first use, so password will be initialized to empty string going thru pkcs5. This is slightly inconvenient. > > > To avoid this, you should probably have > > > protocol imap { > > > ??? passdb { > > > ????? driver = static > > > ????? args =userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} > > > } > > > and initialize the keypair using doveadm and set the password to this value there. > > > > > > This requires some user management tools though so that the password is changed with doveadm when user changes? their password. > > > Another alternative is to keep the private password in database, you can use the var expand encryption plugin to make sure it's decryptable with the user's password. See > https://doc.dovecot.org/configuration_manual/config_file/config_variables/ <https://doc.dovecot.org/configuration_manual/config_file/config_variables/>> for details. > > > Key management is pretty much the most difficult thing in mail crypt plugin =) > > > Aki > > > > > On 4.9.2019 9.40, info--- via dovecot wrote: > >> Do I have to replace the "password" part with the actual password or can I just copy it like that? >> >> Will dovecot create the keypair automatically or do I have to use doveadm? >> >> >> 4. Sep. 2019, 08:33 von >> aki.tuomi at open-xchange.com <mailto:aki.tuomi at open-xchange.com>>> : >> >>> >>> >>> >>> On 4.9.2019 9.21, **** **** via dovecot wrote: >>> >>>> Hello there, >>>> >>>> is there a way to make the mailcrypt plugin use the user's password or at least store it in a hashed value? >>>> >>>> I'm using a passwd file for authentication. >>>> >>>> I feel uncomfortable saving the private password in plaintext in that file. >>>> >>>> Regards >>>> >>> >>> >>> >>> >>> You can try in passdb return >>> >>> >>> userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password} >>> >>> >>> Aki >>> >>> >> >>-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/70736dbf/attachment.html>