dovecot - Dec 2019 - bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password

What it is way most best for causing bash script run (as root) of time
mailbox created (lda_mailbox_autocreate)?

I use dovecot 2.3.4.1 in Debian 10.

And I use of mail-crypt-plugin
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/

I setup mail-crypt for requiring user encrypted EC key
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
encrypt EC key using client plaintext password. There is credential no
stored on server. But for user with use password too bad, I concatenate
user plaintext password with random salt. And then string to SHA512() hash
and use as decryption key (mail_crypt_private_password) for EC private
key.

For above I have plugin config
>   mail_plugins = $mail_plugins mail_crypt
>   plugin {
>     mail_crypt_curve = secp256k1
>     mail_crypt_require_encrypted_user_key = yes
>     mail_crypt_save_version = 2
>   }
And for returning userdb_mail_crypt_private_password, I have sql query
>   password_query = SELECT username, password, \
>     SHA2( CONCAT('%w',salt), 512 ) AS
userdb_mail_crypt_private_password \
>     FROM virtual_users WHERE username='%u';
But how I generate key of user automatically? Note for generating key of
user, I need user password plaintext. I never save plaintext password of
user of the server.

Also user of note creates in PHP of web of the server. And for security I
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
leaving PHP doveadm access!

For solving subject to generate user key encrypted, I do imap of call of
the service 'imap-postlogin' the service likes document "Post-login
scripting' write
https://doc.dovecot.org/admin_manual/post_login_scripting/

And 'imap-postlogin' execute my custom  script with
'script-login' binary
https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c

Here it is config for above
>   service imap {
>     executable = imap imap-postlogin
>   }
>   service imap-postlogin {
>     executable = script-login /usr/local/bin/generateKeys.sh
>     unix_listener imap-postlogin {
>     }
>   }
And generateKeys.sh it is script simple for generating keys with sha256()
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
automatically put of 'userdb_mail_crypt_private_password' return of
mysql
field of query when documented
https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings
> Fields returned by userdb lookup with their keys uppercased
> (e.g. if userdb returned home, it's stored in HOME).
Here generatekeys.sh
>   #!/bin/bash
>   if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U
>
/dev/null | wc -l` -lt 2 ]; then
>           /usr/bin/doveadm -o
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
mailbox cryptokey generate -u "${USER}" -U >
/dev/null
>   fi
>   exec "$@"
This work! But I want more good. By why execute each login? Possible has
generateKeys.sh execute in the times only of dovecot create mailbox
(lda_mailbox_autocreate) instead?

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   Technically creating and encrypting folder key does not require decrypting
user's private key. All folder keys are encrypted with user's public
key.
  </div>
  <div>
   <br>
  </div>
  <div>
   Aki
  </div>
  <blockquote type="cite">
   <div>
    On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    What it is way most best for causing bash script run (as root) of time
   </div>
   <div>
    mailbox created (lda_mailbox_autocreate)?
   </div>
   <div>
    <br>
   </div>
   <div>
    I use dovecot 2.3.4.1 in Debian 10.
   </div>
   <div>
    <br>
   </div>
   <div>
    And I use of mail-crypt-plugin
   </div>
   <div>
    <a
href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/"
rel="noopener"
target="_blank">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a>
   </div>
   <div>
    <br>
   </div>
   <div>
    I setup mail-crypt for requiring user encrypted EC key
   </div>
   <div>
    (mail_crypt_require_encrypted_user_key = yes). I want for passphrase
   </div>
   <div>
    encrypt EC key using client plaintext password. There is credential no
   </div>
   <div>
    stored on server. But for user with use password too bad, I concatenate
   </div>
   <div>
    user plaintext password with random salt. And then string to SHA512() hash
   </div>
   <div>
    and use as decryption key (mail_crypt_private_password) for EC private
   </div>
   <div>
    key.
   </div>
   <div>
    <br>
   </div>
   <div>
    For above I have plugin config
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     mail_plugins = $mail_plugins mail_crypt
    </div>
    <div>
     plugin {
    </div>
    <div>
     mail_crypt_curve = secp256k1
    </div>
    <div>
     mail_crypt_require_encrypted_user_key = yes
    </div>
    <div>
     mail_crypt_save_version = 2
    </div>
    <div>
     }
    </div>
   </blockquote>
   <div>
    And for returning userdb_mail_crypt_private_password, I have sql query
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     password_query = SELECT username, password, \
    </div>
    <div>
     SHA2( CONCAT('%w',salt), 512 ) AS
userdb_mail_crypt_private_password \
    </div>
    <div>
     FROM virtual_users WHERE username='%u';
    </div>
   </blockquote>
   <div>
    But how I generate key of user automatically? Note for generating key of
   </div>
   <div>
    user, I need user password plaintext. I never save plaintext password of
   </div>
   <div>
    user of the server.
   </div>
   <div>
    <br>
   </div>
   <div>
    Also user of note creates in PHP of web of the server. And for security I
   </div>
   <div>
    do not allow PHP exec shell (php.ini disabled_functions). Definitely not
   </div>
   <div>
    leaving PHP doveadm access!
   </div>
   <div>
    <br>
   </div>
   <div>
    For solving subject to generate user key encrypted, I do imap of call of
   </div>
   <div>
    the service 'imap-postlogin' the service likes document
"Post-login
   </div>
   <div>
    scripting' write
   </div>
   <div>
    <a
href="https://doc.dovecot.org/admin_manual/post_login_scripting/"
rel="noopener"
target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/</a>
   </div>
   <div>
    <br>
   </div>
   <div>
    And 'imap-postlogin' execute my custom script with
'script-login' binary
   </div>
   <div>
    <a
href="https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c"
rel="noopener"
target="_blank">https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d053533/src/util/script-login.c</a>
   </div>
   <div>
    <br>
   </div>
   <div>
    Here it is config for above
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     service imap {
    </div>
    <div>
     executable = imap imap-postlogin
    </div>
    <div>
     }
    </div>
    <div>
     service imap-postlogin {
    </div>
    <div>
     executable = script-login /usr/local/bin/generateKeys.sh
    </div>
    <div>
     unix_listener imap-postlogin {
    </div>
    <div>
     }
    </div>
    <div>
     }
    </div>
   </blockquote>
   <div>
    And generateKeys.sh it is script simple for generating keys with sha256()
   </div>
   <div>
    hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
   </div>
   <div>
    automatically put of 'userdb_mail_crypt_private_password' return of
mysql
   </div>
   <div>
    field of query when documented
   </div>
   <div>
    <a
href="https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings"
rel="noopener"
target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroundings</a>
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     Fields returned by userdb lookup with their keys uppercased
    </div>
    <div>
     (e.g. if userdb returned home, it's stored in HOME).
    </div>
   </blockquote>
   <div>
    Here generatekeys.sh
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     #!/bin/bash
    </div>
    <div>
     if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U
>
    </div>
   </blockquote>
   <div>
    /dev/null | wc -l` -lt 2 ]; then
   </div>
   <blockquote type="cite">
    <div>
     /usr/bin/doveadm -o
    </div>
   </blockquote>
   <div>
   
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
   </div>
   <div>
    mailbox cryptokey generate -u "${USER}" -U > /dev/null
   </div>
   <blockquote type="cite">
    <div>
     fi
    </div>
    <div>
     exec "$@"
    </div>
   </blockquote>
   <div>
    This work! But I want more good. By why execute each login? Possible has
   </div>
   <div>
    generateKeys.sh execute in the times only of dovecot create mailbox
   </div>
   <div>
    (lda_mailbox_autocreate) instead?
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>

> Technically creating and encrypting folder key does not
> require decrypting user's private key. All folder keys
> are encrypted with user's public key.
Problem is for that this is a new user. The new user has no private key. I
need for generating that private key. It do not the sense encrypts
something using a key public if there is no private key. Both key public
and private is mathematically related and have to be created together. I
am using the wrong command for creating the main user encrypted EC private
key?

Directing my question primary: it is any way to have the dovecot executes
a bash script in the time of the mailbox created (lda_mailbox_autocreate)?

Also, I notice extra behavior when I do:

1. I creates user in mysql database
2. I confirms it not exists mailbox for user
3. I confirms it not exists cryptokeys for user
>   root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser
-U
>   Folder Active Public ID
>   root at localhost:/var/vmail#
4. Before create mailbox or cryptokeys for user, I send mail from exist
user to new user
5. Postfix Delivers mail to dovecot
6. The dovecot accepts mail for new user and create mailbox automatically
(lda_mailbox_autocreate)
7. I check and see that dovecot creates key of user
>   root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser
-U
>   Folder Active Public ID
>          yes    XYZ
>   root at localhost:/var/vmail#
How the possible??? I have put in settings of mail-crypt that keys of user
have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
supply no key! How the dovecot creates main user encrypted public/private
EC keypair without key of encryption given?

I confirm that element of post for 'newuser' is encrypted, but of course
I
can no decrypt the mail. I achieve error:
>   dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
>   failed...Private key not available: Cannot decrypt key XYZ
No well for executing generateKeys.sh on user first login. What if the
user receives email before first login? How I execute generateKeys.sh on
create of mailbox and how I do emails incoming without any keypair
created? For to reject or queue or save unencrypted until I generate
keypair? It possible?

On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot
wrote:
>
> Technically creating and encrypting folder key does not require
> decrypting user's private key. All folder keys are encrypted with
user's
> public key.
>
>
>
>
> Aki
>
>
> On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
     dovecot at dovecot.org>
> wrote:
>
>
>
>
>
>
>
>
> What it is way most best for causing bash script run (as root) of time
>
>
> mailbox created (lda_mailbox_autocreate)?
>
>
>
>
> I use dovecot 2.3.4.1 in Debian 10.
>
>
>
>
>
> And I use of mail-crypt-plugin
>
>
> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>
>
>
>
>
> I setup mail-crypt for requiring user encrypted EC key
>
>
> (mail_crypt_require_encrypted_user_key = yes). I want for passphrase
>
>
> encrypt EC key using client plaintext password. There is credential no
>
> stored on server. But for user with use password too bad, I concatenate
>
> user plaintext password with random salt. And then string to SHA512()
> hash
>
> and use as decryption key (mail_crypt_private_password) for EC private
>
> key.
>
>
>
>
> For above I have plugin config
>
>
>
>
>
> mail_plugins = $mail_plugins mail_crypt
>
> plugin {
>
> mail_crypt_curve = secp256k1
>
> mail_crypt_require_encrypted_user_key = yes
>
> mail_crypt_save_version = 2
>
> }
>
>
> And for returning userdb_mail_crypt_private_password, I have sql query
>
>
>
>
>
> password_query = SELECT username, password, \
>
> SHA2( CONCAT('%w',salt), 512 ) AS
userdb_mail_crypt_private_password \
>
>
> FROM virtual_users WHERE username='%u';
>
>
> But how I generate key of user automatically? Note for generating key of
>
>
> user, I need user password plaintext. I never save plaintext password of
>
> user of the server.
>
>
>
>
> Also user of note creates in PHP of web of the server. And for security I
>
>
> do not allow PHP exec shell (php.ini disabled_functions). Definitely not
>
> leaving PHP doveadm access!
>
>
>
>
> For solving subject to generate user key encrypted, I do imap of call of
>
>
> the service 'imap-postlogin' the service likes document
"Post-login
>
> scripting' write
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/
>
>
>
>
>
> And 'imap-postlogin' execute my custom script with
'script-login' binary
>
>
> https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05
> 3533/src/util/script-login.c
>
>
>
>
>
> Here it is config for above
>
>
>
>
>
> service imap {
>
> executable = imap imap-postlogin
>
> }
>
>
> service imap-postlogin {
>
> executable = script-login /usr/local/bin/generateKeys.sh
>
> unix_listener imap-postlogin {
>
> }
>
>
> }
>
>
> And generateKeys.sh it is script simple for generating keys with sha256()
>
>
> hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
>
> automatically put of 'userdb_mail_crypt_private_password' return of
mysql
>
>
> field of query when documented
>
> https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun
> dings
>
>
>
>
> Fields returned by userdb lookup with their keys uppercased
>
>
> (e.g. if userdb returned home, it's stored in HOME).
>
>
> Here generatekeys.sh
>
>
>
>
>
> #!/bin/bash
>
>
> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U
>
>
> /dev/null | wc -l` -lt 2 ]; then
>
>
> /usr/bin/doveadm -o
>
>
>
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
>
>
> mailbox cryptokey generate -u "${USER}" -U > /dev/null
>
> fi
>
> exec "$@"
>
> This work! But I want more good. By why execute each login? Possible has
>
>
> generateKeys.sh execute in the times only of dovecot create mailbox
>
> (lda_mailbox_autocreate) instead?
>
>
>
>
> ---
 Aki Tuomi
>
>