uxqex4efpu at elude.in
2019-Dec-08 07:42 UTC
bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
What it is way most best for causing bash script run (as root) of time mailbox created (lda_mailbox_autocreate)? I use dovecot 2.3.4.1 in Debian 10. And I use of mail-crypt-plugin https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ I setup mail-crypt for requiring user encrypted EC key (mail_crypt_require_encrypted_user_key = yes). I want for passphrase encrypt EC key using client plaintext password. There is credential no stored on server. But for user with use password too bad, I concatenate user plaintext password with random salt. And then string to SHA512() hash and use as decryption key (mail_crypt_private_password) for EC private key. For above I have plugin config> mail_plugins = $mail_plugins mail_crypt > plugin { > mail_crypt_curve = secp256k1 > mail_crypt_require_encrypted_user_key = yes > mail_crypt_save_version = 2 > }And for returning userdb_mail_crypt_private_password, I have sql query> password_query = SELECT username, password, \ > SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \ > FROM virtual_users WHERE username='%u';But how I generate key of user automatically? Note for generating key of user, I need user password plaintext. I never save plaintext password of user of the server. Also user of note creates in PHP of web of the server. And for security I do not allow PHP exec shell (php.ini disabled_functions). Definitely not leaving PHP doveadm access! For solving subject to generate user key encrypted, I do imap of call of the service 'imap-postlogin' the service likes document "Post-login scripting' write https://doc.dovecot.org/admin_manual/post_login_scripting/ And 'imap-postlogin' execute my custom script with 'script-login' binary https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c Here it is config for above> service imap { > executable = imap imap-postlogin > } > service imap-postlogin { > executable = script-login /usr/local/bin/generateKeys.sh > unix_listener imap-postlogin { > } > }And generateKeys.sh it is script simple for generating keys with sha256() hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD} automatically put of 'userdb_mail_crypt_private_password' return of mysql field of query when documented https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings> Fields returned by userdb lookup with their keys uppercased > (e.g. if userdb returned home, it's stored in HOME).Here generatekeys.sh> #!/bin/bash > if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U >/dev/null | wc -l` -lt 2 ]; then> /usr/bin/doveadm -o"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" mailbox cryptokey generate -u "${USER}" -U > /dev/null> fi > exec "$@"This work! But I want more good. By why execute each login? Possible has generateKeys.sh execute in the times only of dovecot create mailbox (lda_mailbox_autocreate) instead?
Aki Tuomi
2019-Dec-08 08:04 UTC
bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> Technically creating and encrypting folder key does not require decrypting user's private key. All folder keys are encrypted with user's public key. </div> <div> <br> </div> <div> Aki </div> <blockquote type="cite"> <div> On 08/12/2019 09:42 uxqex4efpu--- via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> What it is way most best for causing bash script run (as root) of time </div> <div> mailbox created (lda_mailbox_autocreate)? </div> <div> <br> </div> <div> I use dovecot 2.3.4.1 in Debian 10. </div> <div> <br> </div> <div> And I use of mail-crypt-plugin </div> <div> <a href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/" rel="noopener" target="_blank">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a> </div> <div> <br> </div> <div> I setup mail-crypt for requiring user encrypted EC key </div> <div> (mail_crypt_require_encrypted_user_key = yes). I want for passphrase </div> <div> encrypt EC key using client plaintext password. There is credential no </div> <div> stored on server. But for user with use password too bad, I concatenate </div> <div> user plaintext password with random salt. And then string to SHA512() hash </div> <div> and use as decryption key (mail_crypt_private_password) for EC private </div> <div> key. </div> <div> <br> </div> <div> For above I have plugin config </div> <div> <br> </div> <blockquote type="cite"> <div> mail_plugins = $mail_plugins mail_crypt </div> <div> plugin { </div> <div> mail_crypt_curve = secp256k1 </div> <div> mail_crypt_require_encrypted_user_key = yes </div> <div> mail_crypt_save_version = 2 </div> <div> } </div> </blockquote> <div> And for returning userdb_mail_crypt_private_password, I have sql query </div> <div> <br> </div> <blockquote type="cite"> <div> password_query = SELECT username, password, \ </div> <div> SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \ </div> <div> FROM virtual_users WHERE username='%u'; </div> </blockquote> <div> But how I generate key of user automatically? Note for generating key of </div> <div> user, I need user password plaintext. I never save plaintext password of </div> <div> user of the server. </div> <div> <br> </div> <div> Also user of note creates in PHP of web of the server. And for security I </div> <div> do not allow PHP exec shell (php.ini disabled_functions). Definitely not </div> <div> leaving PHP doveadm access! </div> <div> <br> </div> <div> For solving subject to generate user key encrypted, I do imap of call of </div> <div> the service 'imap-postlogin' the service likes document "Post-login </div> <div> scripting' write </div> <div> <a href="https://doc.dovecot.org/admin_manual/post_login_scripting/" rel="noopener" target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/</a> </div> <div> <br> </div> <div> And 'imap-postlogin' execute my custom script with 'script-login' binary </div> <div> <a href="https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c" rel="noopener" target="_blank">https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c</a> </div> <div> <br> </div> <div> Here it is config for above </div> <div> <br> </div> <blockquote type="cite"> <div> service imap { </div> <div> executable = imap imap-postlogin </div> <div> } </div> <div> service imap-postlogin { </div> <div> executable = script-login /usr/local/bin/generateKeys.sh </div> <div> unix_listener imap-postlogin { </div> <div> } </div> <div> } </div> </blockquote> <div> And generateKeys.sh it is script simple for generating keys with sha256() </div> <div> hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD} </div> <div> automatically put of 'userdb_mail_crypt_private_password' return of mysql </div> <div> field of query when documented </div> <div> <a href="https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings" rel="noopener" target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings</a> </div> <div> <br> </div> <blockquote type="cite"> <div> Fields returned by userdb lookup with their keys uppercased </div> <div> (e.g. if userdb returned home, it's stored in HOME). </div> </blockquote> <div> Here generatekeys.sh </div> <div> <br> </div> <blockquote type="cite"> <div> #!/bin/bash </div> <div> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U > </div> </blockquote> <div> /dev/null | wc -l` -lt 2 ]; then </div> <blockquote type="cite"> <div> /usr/bin/doveadm -o </div> </blockquote> <div> "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" </div> <div> mailbox cryptokey generate -u "${USER}" -U > /dev/null </div> <blockquote type="cite"> <div> fi </div> <div> exec "$@" </div> </blockquote> <div> This work! But I want more good. By why execute each login? Possible has </div> <div> generateKeys.sh execute in the times only of dovecot create mailbox </div> <div> (lda_mailbox_autocreate) instead? </div> </blockquote> <div> <br> </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
uxqex4efpu at elude.in
2019-Dec-08 14:22 UTC
bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
> Technically creating and encrypting folder key does not > require decrypting user's private key. All folder keys > are encrypted with user's public key.Problem is for that this is a new user. The new user has no private key. I need for generating that private key. It do not the sense encrypts something using a key public if there is no private key. Both key public and private is mathematically related and have to be created together. I am using the wrong command for creating the main user encrypted EC private key? Directing my question primary: it is any way to have the dovecot executes a bash script in the time of the mailbox created (lda_mailbox_autocreate)? Also, I notice extra behavior when I do: 1. I creates user in mysql database 2. I confirms it not exists mailbox for user 3. I confirms it not exists cryptokeys for user> root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U > Folder Active Public ID > root at localhost:/var/vmail#4. Before create mailbox or cryptokeys for user, I send mail from exist user to new user 5. Postfix Delivers mail to dovecot 6. The dovecot accepts mail for new user and create mailbox automatically (lda_mailbox_autocreate) 7. I check and see that dovecot creates key of user> root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U > Folder Active Public ID > yes XYZ > root at localhost:/var/vmail#How the possible??? I have put in settings of mail-crypt that keys of user have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I supply no key! How the dovecot creates main user encrypted public/private EC keypair without key of encryption given? I confirm that element of post for 'newuser' is encrypted, but of course I can no decrypt the mail. I achieve error:> dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read() > failed...Private key not available: Cannot decrypt key XYZNo well for executing generateKeys.sh on user first login. What if the user receives email before first login? How I execute generateKeys.sh on create of mailbox and how I do emails incoming without any keypair created? For to reject or queue or save unencrypted until I generate keypair? It possible? On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:>> Technically creating and encrypting folder key does not require > decrypting user's private key. All folder keys are encrypted with user's > public key. > > > > > Aki > > > On 08/12/2019 09:42 uxqex4efpu--- via dovecot <dovecot at dovecot.org>> wrote: > > > > > > > > > What it is way most best for causing bash script run (as root) of time > > > mailbox created (lda_mailbox_autocreate)? > > > > > I use dovecot 2.3.4.1 in Debian 10. > > > > > > And I use of mail-crypt-plugin > > > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ > > > > > > I setup mail-crypt for requiring user encrypted EC key > > > (mail_crypt_require_encrypted_user_key = yes). I want for passphrase > > > encrypt EC key using client plaintext password. There is credential no > > stored on server. But for user with use password too bad, I concatenate > > user plaintext password with random salt. And then string to SHA512() > hash > > and use as decryption key (mail_crypt_private_password) for EC private > > key. > > > > > For above I have plugin config > > > > > > mail_plugins = $mail_plugins mail_crypt > > plugin { > > mail_crypt_curve = secp256k1 > > mail_crypt_require_encrypted_user_key = yes > > mail_crypt_save_version = 2 > > } > > > And for returning userdb_mail_crypt_private_password, I have sql query > > > > > > password_query = SELECT username, password, \ > > SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \ > > > FROM virtual_users WHERE username='%u'; > > > But how I generate key of user automatically? Note for generating key of > > > user, I need user password plaintext. I never save plaintext password of > > user of the server. > > > > > Also user of note creates in PHP of web of the server. And for security I > > > do not allow PHP exec shell (php.ini disabled_functions). Definitely not > > leaving PHP doveadm access! > > > > > For solving subject to generate user key encrypted, I do imap of call of > > > the service 'imap-postlogin' the service likes document "Post-login > > scripting' write > > https://doc.dovecot.org/admin_manual/post_login_scripting/ > > > > > > And 'imap-postlogin' execute my custom script with 'script-login' binary > > > https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05 > 3533/src/util/script-login.c > > > > > > Here it is config for above > > > > > > service imap { > > executable = imap imap-postlogin > > } > > > service imap-postlogin { > > executable = script-login /usr/local/bin/generateKeys.sh > > unix_listener imap-postlogin { > > } > > > } > > > And generateKeys.sh it is script simple for generating keys with sha256() > > > hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD} > > automatically put of 'userdb_mail_crypt_private_password' return of mysql > > > field of query when documented > > https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun > dings > > > > > Fields returned by userdb lookup with their keys uppercased > > > (e.g. if userdb returned home, it's stored in HOME). > > > Here generatekeys.sh > > > > > > #!/bin/bash > > > if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U > > > /dev/null | wc -l` -lt 2 ]; then > > > /usr/bin/doveadm -o > > > "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" > > > mailbox cryptokey generate -u "${USER}" -U > /dev/null > > fi > > exec "$@" > > This work! But I want more good. By why execute each login? Possible has > > > generateKeys.sh execute in the times only of dovecot create mailbox > > (lda_mailbox_autocreate) instead? > > > > > ---Aki Tuomi> >
Possibly Parallel Threads
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- Do encrypted user keys self generate?
- Best mail encryption solution for per-user