uxqex4efpu at elude.in
2019-Dec-08 14:22 UTC
bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
> Technically creating and encrypting folder key does not > require decrypting user's private key. All folder keys > are encrypted with user's public key.Problem is for that this is a new user. The new user has no private key. I need for generating that private key. It do not the sense encrypts something using a key public if there is no private key. Both key public and private is mathematically related and have to be created together. I am using the wrong command for creating the main user encrypted EC private key? Directing my question primary: it is any way to have the dovecot executes a bash script in the time of the mailbox created (lda_mailbox_autocreate)? Also, I notice extra behavior when I do: 1. I creates user in mysql database 2. I confirms it not exists mailbox for user 3. I confirms it not exists cryptokeys for user> root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U > Folder Active Public ID > root at localhost:/var/vmail#4. Before create mailbox or cryptokeys for user, I send mail from exist user to new user 5. Postfix Delivers mail to dovecot 6. The dovecot accepts mail for new user and create mailbox automatically (lda_mailbox_autocreate) 7. I check and see that dovecot creates key of user> root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U > Folder Active Public ID > yes XYZ > root at localhost:/var/vmail#How the possible??? I have put in settings of mail-crypt that keys of user have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I supply no key! How the dovecot creates main user encrypted public/private EC keypair without key of encryption given? I confirm that element of post for 'newuser' is encrypted, but of course I can no decrypt the mail. I achieve error:> dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read() > failed...Private key not available: Cannot decrypt key XYZNo well for executing generateKeys.sh on user first login. What if the user receives email before first login? How I execute generateKeys.sh on create of mailbox and how I do emails incoming without any keypair created? For to reject or queue or save unencrypted until I generate keypair? It possible? On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:>> Technically creating and encrypting folder key does not require > decrypting user's private key. All folder keys are encrypted with user's > public key. > > > > > Aki > > > On 08/12/2019 09:42 uxqex4efpu--- via dovecot <dovecot at dovecot.org>> wrote: > > > > > > > > > What it is way most best for causing bash script run (as root) of time > > > mailbox created (lda_mailbox_autocreate)? > > > > > I use dovecot 2.3.4.1 in Debian 10. > > > > > > And I use of mail-crypt-plugin > > > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ > > > > > > I setup mail-crypt for requiring user encrypted EC key > > > (mail_crypt_require_encrypted_user_key = yes). I want for passphrase > > > encrypt EC key using client plaintext password. There is credential no > > stored on server. But for user with use password too bad, I concatenate > > user plaintext password with random salt. And then string to SHA512() > hash > > and use as decryption key (mail_crypt_private_password) for EC private > > key. > > > > > For above I have plugin config > > > > > > mail_plugins = $mail_plugins mail_crypt > > plugin { > > mail_crypt_curve = secp256k1 > > mail_crypt_require_encrypted_user_key = yes > > mail_crypt_save_version = 2 > > } > > > And for returning userdb_mail_crypt_private_password, I have sql query > > > > > > password_query = SELECT username, password, \ > > SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \ > > > FROM virtual_users WHERE username='%u'; > > > But how I generate key of user automatically? Note for generating key of > > > user, I need user password plaintext. I never save plaintext password of > > user of the server. > > > > > Also user of note creates in PHP of web of the server. And for security I > > > do not allow PHP exec shell (php.ini disabled_functions). Definitely not > > leaving PHP doveadm access! > > > > > For solving subject to generate user key encrypted, I do imap of call of > > > the service 'imap-postlogin' the service likes document "Post-login > > scripting' write > > https://doc.dovecot.org/admin_manual/post_login_scripting/ > > > > > > And 'imap-postlogin' execute my custom script with 'script-login' binary > > > https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05 > 3533/src/util/script-login.c > > > > > > Here it is config for above > > > > > > service imap { > > executable = imap imap-postlogin > > } > > > service imap-postlogin { > > executable = script-login /usr/local/bin/generateKeys.sh > > unix_listener imap-postlogin { > > } > > > } > > > And generateKeys.sh it is script simple for generating keys with sha256() > > > hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD} > > automatically put of 'userdb_mail_crypt_private_password' return of mysql > > > field of query when documented > > https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun > dings > > > > > Fields returned by userdb lookup with their keys uppercased > > > (e.g. if userdb returned home, it's stored in HOME). > > > Here generatekeys.sh > > > > > > #!/bin/bash > > > if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U > > > /dev/null | wc -l` -lt 2 ]; then > > > /usr/bin/doveadm -o > > > "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" > > > mailbox cryptokey generate -u "${USER}" -U > /dev/null > > fi > > exec "$@" > > This work! But I want more good. By why execute each login? Possible has > > > generateKeys.sh execute in the times only of dovecot create mailbox > > (lda_mailbox_autocreate) instead? > > > > > ---Aki Tuomi> >
Aki Tuomi
2019-Dec-08 18:15 UTC
bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
It's a known issue that the password will be set to silly value, most
likely 'yes'.
</div>
<div>
<br>
</div>
<div>
You should generate the user key during provisioning with `doveadm cryptokey
generate -Uu user -n password`.
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div>
On 08/12/2019 16:22
<a
href="mailto:uxqex4efpu@elude.in">uxqex4efpu@elude.in</a>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
Technically creating and encrypting folder key does not
</div>
<div>
require decrypting user's private key. All folder keys
</div>
<div>
are encrypted with user's public key.
</div>
</blockquote>
<div>
Problem is for that this is a new user. The new user has no private key. I
</div>
<div>
need for generating that private key. It do not the sense encrypts
</div>
<div>
something using a key public if there is no private key. Both key public
</div>
<div>
and private is mathematically related and have to be created together. I
</div>
<div>
am using the wrong command for creating the main user encrypted EC private
</div>
<div>
key?
</div>
<div>
<br>
</div>
<div>
Directing my question primary: it is any way to have the dovecot executes
</div>
<div>
a bash script in the time of the mailbox created (lda_mailbox_autocreate)?
</div>
<div>
<br>
</div>
<div>
Also, I notice extra behavior when I do:
</div>
<div>
<br>
</div>
<div>
1. I creates user in mysql database
</div>
<div>
2. I confirms it not exists mailbox for user
</div>
<div>
3. I confirms it not exists cryptokeys for user
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
</div>
<div>
Folder Active Public ID
</div>
<div>
root@localhost:/var/vmail#
</div>
</blockquote>
<div>
4. Before create mailbox or cryptokeys for user, I send mail from exist
</div>
<div>
user to new user
</div>
<div>
5. Postfix Delivers mail to dovecot
</div>
<div>
6. The dovecot accepts mail for new user and create mailbox automatically
</div>
<div>
(lda_mailbox_autocreate)
</div>
<div>
7. I check and see that dovecot creates key of user
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
root@localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U
</div>
<div>
Folder Active Public ID
</div>
<div>
yes XYZ
</div>
<div>
root@localhost:/var/vmail#
</div>
</blockquote>
<div>
How the possible??? I have put in settings of mail-crypt that keys of user
</div>
<div>
have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I
</div>
<div>
supply no key! How the dovecot creates main user encrypted public/private
</div>
<div>
EC keypair without key of encryption given?
</div>
<div>
<br>
</div>
<div>
I confirm that element of post for 'newuser' is encrypted, but of
course I
</div>
<div>
can no decrypt the mail. I achieve error:
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read()
</div>
<div>
failed...Private key not available: Cannot decrypt key XYZ
</div>
</blockquote>
<div>
No well for executing generateKeys.sh on user first login. What if the
</div>
<div>
user receives email before first login? How I execute generateKeys.sh on
</div>
<div>
create of mailbox and how I do emails incoming without any keypair
</div>
<div>
created? For to reject or queue or save unencrypted until I generate
</div>
<div>
keypair? It possible?
</div>
<div>
<br>
</div>
<div>
On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote:
</div>
<div>
>
</div>
<div>
<br>
</div>
<blockquote type="cite">
<div>
Technically creating and encrypting folder key does not require
</div>
<div>
decrypting user's private key. All folder keys are encrypted with
user's
</div>
<div>
public key.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Aki
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
On 08/12/2019 09:42 uxqex4efpu--- via dovecot <
</div>
</blockquote>
<div>
<a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
</div>
<blockquote type="cite">
<div>
wrote:
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
What it is way most best for causing bash script run (as root) of time
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
mailbox created (lda_mailbox_autocreate)?
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
I use dovecot 2.3.4.1 in Debian 10.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
And I use of mail-crypt-plugin
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
<a
href="https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/"
rel="noopener"
target="_blank">https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/</a>
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
I setup mail-crypt for requiring user encrypted EC key
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
(mail_crypt_require_encrypted_user_key = yes). I want for passphrase
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
encrypt EC key using client plaintext password. There is credential no
</div>
</blockquote>
<blockquote type="cite">
<div>
stored on server. But for user with use password too bad, I concatenate
</div>
</blockquote>
<blockquote type="cite">
<div>
user plaintext password with random salt. And then string to SHA512()
</div>
<div>
hash
</div>
</blockquote>
<blockquote type="cite">
<div>
and use as decryption key (mail_crypt_private_password) for EC private
</div>
</blockquote>
<blockquote type="cite">
<div>
key.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
For above I have plugin config
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
mail_plugins = $mail_plugins mail_crypt
</div>
</blockquote>
<blockquote type="cite">
<div>
plugin {
</div>
</blockquote>
<blockquote type="cite">
<div>
mail_crypt_curve = secp256k1
</div>
</blockquote>
<blockquote type="cite">
<div>
mail_crypt_require_encrypted_user_key = yes
</div>
</blockquote>
<blockquote type="cite">
<div>
mail_crypt_save_version = 2
</div>
</blockquote>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
And for returning userdb_mail_crypt_private_password, I have sql query
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
password_query = SELECT username, password, \
</div>
</blockquote>
<blockquote type="cite">
<div>
SHA2( CONCAT('%w',salt), 512 ) AS
userdb_mail_crypt_private_password \
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
FROM virtual_users WHERE username='%u';
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
But how I generate key of user automatically? Note for generating key of
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
user, I need user password plaintext. I never save plaintext password of
</div>
</blockquote>
<blockquote type="cite">
<div>
user of the server.
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Also user of note creates in PHP of web of the server. And for security I
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
do not allow PHP exec shell (php.ini disabled_functions). Definitely not
</div>
</blockquote>
<blockquote type="cite">
<div>
leaving PHP doveadm access!
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
For solving subject to generate user key encrypted, I do imap of call of
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
the service 'imap-postlogin' the service likes document
"Post-login
</div>
</blockquote>
<blockquote type="cite">
<div>
scripting' write
</div>
</blockquote>
<blockquote type="cite">
<div>
<a
href="https://doc.dovecot.org/admin_manual/post_login_scripting/"
rel="noopener"
target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/</a>
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
And 'imap-postlogin' execute my custom script with
'script-login' binary
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
<a
href="https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05"
rel="noopener"
target="_blank">https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05</a>
</div>
<div>
3533/src/util/script-login.c
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Here it is config for above
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
service imap {
</div>
</blockquote>
<blockquote type="cite">
<div>
executable = imap imap-postlogin
</div>
</blockquote>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
service imap-postlogin {
</div>
</blockquote>
<blockquote type="cite">
<div>
executable = script-login /usr/local/bin/generateKeys.sh
</div>
</blockquote>
<blockquote type="cite">
<div>
unix_listener imap-postlogin {
</div>
</blockquote>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
}
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
And generateKeys.sh it is script simple for generating keys with sha256()
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD}
</div>
</blockquote>
<blockquote type="cite">
<div>
automatically put of 'userdb_mail_crypt_private_password' return of
mysql
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
field of query when documented
</div>
</blockquote>
<blockquote type="cite">
<div>
<a
href="https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun"
rel="noopener"
target="_blank">https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun</a>
</div>
<div>
dings
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
Fields returned by userdb lookup with their keys uppercased
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
(e.g. if userdb returned home, it's stored in HOME).
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
Here generatekeys.sh
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
#!/bin/bash
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U
>
</div>
</blockquote>
<blockquote type="cite">
<div>
/dev/null | wc -l` -lt 2 ]; then
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
/usr/bin/doveadm -o
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}"
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
mailbox cryptokey generate -u "${USER}" -U > /dev/null
</div>
</blockquote>
<blockquote type="cite">
<div>
fi
</div>
</blockquote>
<blockquote type="cite">
<div>
exec "$@"
</div>
</blockquote>
<blockquote type="cite">
<div>
This work! But I want more good. By why execute each login? Possible has
</div>
</blockquote>
<div>
>
</div>
<blockquote type="cite">
<div>
generateKeys.sh execute in the times only of dovecot create mailbox
</div>
</blockquote>
<blockquote type="cite">
<div>
(lda_mailbox_autocreate) instead?
</div>
</blockquote>
<div>
>
</div>
<div>
>
</div>
<div>
>
</div>
<blockquote type="cite">
<div>
---
</div>
</blockquote>
<div>
Aki Tuomi
</div>
<div>
>
</div>
<div>
>
</div>
</blockquote>
<div>
<br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</body>
</html>
uxqex4efpu at elude.in
2019-Dec-09 14:09 UTC
bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
> It's a known issue that the password will be set to silly > value, most likely 'yes'.Hello Aki, thank you. In fact, it appear for generating key unencrypted! I test for key of encrypted or no with `mailbox cryptokey export doveadm -Uu newuser`. I meeting for the keys create by dovecot in new email before key generates, I achieve key deprived even when I supply no any password.> root at localhost:/var/vmail# doveadm mailbox cryptokey export -Uu newuser > Folder: > Public ID: ABC > Error: > -----BEGIN PRIVATE KEY----- > XYZ > -----END PRIVATE KEY-----I meeting for keys I generate before mail of dovecot of keypair generates, I have error encoding. I thinks "encoding error" means that the private key is encrypt, different from above.> Folder: ABC > Public ID: ERROR: error:03070068:bignum routines:BN_mpi2bn:encoding error > Error:Exist better way for check if key encrypted or unencrypted? Very strange this when I use 'mail_crypt_require_encrypted_user_key = yes'. No expected. The possible for to add on post of documentation of the plugin mail-crypt? May I recommend to add notices in "Encrypted user keys" https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/encrypted-user-keys> Note: If ?yes? it set ?mail_crypt_require_encrypted_user_key?, > the dovecot it can create and store unencrypted key on > disk if the user receives the mail before generates keypair.I think this very important to document. Thank you!> You should generate the user key > during provisioning with > `doveadm cryptokey generate -Uu user -n password`.This no possible. I users of provision in PHP, and the very important I do not allow PHP has shell/exec access (php.ini disabled_functions). PHP has mysql access only. I see no the safe way for PHP has the permission executes `doveadm`. But I meeting solution! I test dovecot put autocreate disable (lda_mailbox_autocreate = no), but it still autocreate! And autocreate create mail broken user of crypt keypair. But it possible stop autocreate! I read here dovecot no autocreate if I 'mail_location' not defining! That I delete 'mail_location' of dovecot config, and now first email send to new user before user keypair generates error of product. Well!> postfix/lmtp...[Private/dovecot-lmtp] said: 451 4.3.0<newuser at localhost.localdomain> Provisional internal error (in reply for finish of order of DATA)) And I update my post-login script generateKeys.sh for including 'mail-location':> #!/bin/bash > > # string sanitization checks > USER=${USER//\"/} > MAIL_CRYPT_PRIVATE_PASSWORD=${MAIL_CRYPT_PRIVATE_PASSWORD//\"/} > echo "${USER}" | grep -E '^[0-9A-Za-z]{1,100}$' > /dev/null || exit 1 > echo "${MAIL_CRYPT_PRIVATE_PASSWORD}" | grep -E '^[0-9A-Za-z]{128}$' >/dev/null || exit 1> > # this list command outputs one human-readable "header" line always > # if there is at least one key, it will output two or more lines > # if there are no keys for the given user, it will have less than twolines> if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U | wc -l`-lt 2 ]; then> /usr/bin/doveadm -o "mail_location=maildir:~/Maildir/" -o"plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" mailbox cryptokey > generate -u "${USER}" -U > /dev/null> fi > > exec "$@"Now it work! Mail-crypt plugin not create bad key for to lockout user. Now first login generates user keypair using salted password hash of user and never store on server. Very good! On Sun, December 8, 2019 18:15, Aki Tuomi via dovecot wrote:>> It's a known issue that the password will be set to silly value, most > likely 'yes'. > > > > > You should generate the user key during provisioning with `doveadm > cryptokey generate -Uu user -n password`. > > > > > Aki > > > On 08/12/2019 16:22uxqex4efpu at elude.in wrote:> > > > > > > > > Technically creating and encrypting folder key does not > > > require decrypting user's private key. All folder keys > > are encrypted with user's public key. > > Problem is for that this is a new user. The new user has no private key. > I > > > need for generating that private key. It do not the sense encrypts > > something using a key public if there is no private key. Both key public > > and private is mathematically related and have to be created together. I > > am using the wrong command for creating the main user encrypted EC > private > > key? > > > > > Directing my question primary: it is any way to have the dovecot executes > > > a bash script in the time of the mailbox created > (lda_mailbox_autocreate)? > > > > > > Also, I notice extra behavior when I do: > > > > > > 1. I creates user in mysql database > > > 2. I confirms it not exists mailbox for user > > > 3. I confirms it not exists cryptokeys for user > > > > > > root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U > > > Folder Active Public ID > > > root at localhost:/var/vmail# > > > 4. Before create mailbox or cryptokeys for user, I send mail from exist > > > user to new user > > 5. Postfix Delivers mail to dovecot > > > 6. The dovecot accepts mail for new user and create mailbox automatically > > > (lda_mailbox_autocreate) > > > 7. I check and see that dovecot creates key of user > > > > > > root at localhost:/var/vmail# doveadm mailbox cryptokey list -u newuser -U > > > Folder Active Public ID > > > yes XYZ > > root at localhost:/var/vmail# > > > How the possible??? I have put in settings of mail-crypt that keys of > user > > have to be encrypted (mail_crypt_require_encrypted_user_key = yes), but I > > > supply no key! How the dovecot creates main user encrypted public/private > > > EC keypair without key of encryption given? > > > > > > I confirm that element of post for 'newuser' is encrypted, but of course > I > > > can no decrypt the mail. I achieve error: > > > > > dovecot: imap(newuser...Error: Mailbox INBOX: UID=1: read() > > > failed...Private key not available: Cannot decrypt key XYZ > > No well for executing generateKeys.sh on user first login. What if the > > > user receives email before first login? How I execute generateKeys.sh on > > create of mailbox and how I do emails incoming without any keypair > > created? For to reject or queue or save unencrypted until I generate > > keypair? It possible? > > > > > On Sun, December 8, 2019 08:04, Aki Tuomi via dovecot wrote: > > > > > > > > > > Technically creating and encrypting folder key does not require > > > decrypting user's private key. All folder keys are encrypted with user's > > public key. > > > > > > > > > > > > > > Aki > > > > > > > On 08/12/2019 09:42 uxqex4efpu--- via dovecot < > > > dovecot at dovecot.org> > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > What it is way most best for causing bash script run (as root) of time > > > > > > > mailbox created (lda_mailbox_autocreate)? > > > > > > > > > > > > > > I use dovecot 2.3.4.1 in Debian 10. > > > > > > > > > > > > > > > > > > > And I use of mail-crypt-plugin > > > > > > > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ > > > > > > > > > > > > > > > > > > > I setup mail-crypt for requiring user encrypted EC key > > > > > > > (mail_crypt_require_encrypted_user_key = yes). I want for passphrase > > > > > > > encrypt EC key using client plaintext password. There is credential no > > stored on server. But for user with use password too bad, I concatenate > > user plaintext password with random salt. And then string to SHA512() > > hash > > and use as decryption key (mail_crypt_private_password) for EC private > > key. > > > > > > > > > > > > > > For above I have plugin config > > > > > > > > > > > > > > > > > > > mail_plugins = $mail_plugins mail_crypt > > plugin { > > mail_crypt_curve = secp256k1 > > mail_crypt_require_encrypted_user_key = yes > > mail_crypt_save_version = 2 > > } > > > > > > > And for returning userdb_mail_crypt_private_password, I have sql query > > > > > > > > > > > > > > > > > > > password_query = SELECT username, password, \ > > SHA2( CONCAT('%w',salt), 512 ) AS userdb_mail_crypt_private_password \ > > > > > > > FROM virtual_users WHERE username='%u'; > > > > > > > But how I generate key of user automatically? Note for generating key of > > > > > > > user, I need user password plaintext. I never save plaintext password of > > user of the server. > > > > > > > > > > > > > > Also user of note creates in PHP of web of the server. And for security I > > > > > > > do not allow PHP exec shell (php.ini disabled_functions). Definitely not > > leaving PHP doveadm access! > > > > > > > > > > > > > > For solving subject to generate user key encrypted, I do imap of call of > > > > > > > the service 'imap-postlogin' the service likes document "Post-login > > scripting' write > > https://doc.dovecot.org/admin_manual/post_login_scripting/ > > > > > > > > > > > > > > > > > > > And 'imap-postlogin' execute my custom script with 'script-login' binary > > > > > > > https://github.com/dovecot/core/blob/8606e1abb90a1c91357b84bf547a89564d05 > > > 3533/src/util/script-login.c > > > > > > > > > > > > > > > > > > > Here it is config for above > > > > > > > > > > > > > > > > > > > service imap { > > executable = imap imap-postlogin > > } > > > > > > > service imap-postlogin { > > executable = script-login /usr/local/bin/generateKeys.sh > > unix_listener imap-postlogin { > > } > > > > > > > } > > > > > > > And generateKeys.sh it is script simple for generating keys with sha256() > > > > > > > hash product mysql. Variable of note ${MAIL_CRYPT_PRIVATE_PASSWORD} > > automatically put of 'userdb_mail_crypt_private_password' return of mysql > > > > > > > field of query when documented > > https://doc.dovecot.org/admin_manual/post_login_scripting/running-surroun > > > dings > > > > > > > > > > > > > > Fields returned by userdb lookup with their keys uppercased > > > > > > > (e.g. if userdb returned home, it's stored in HOME). > > > > > > > Here generatekeys.sh > > > > > > > > > > > > > > > > > > > #!/bin/bash > > > > > > > if [ `/usr/bin/doveadm mailbox cryptokey list -u "${USER}" -U > > > /dev/null | wc -l` -lt 2 ]; then > > > > > > > /usr/bin/doveadm -o > > > > > > > "plugin/mail_crypt_private_password=${MAIL_CRYPT_PRIVATE_PASSWORD}" > > > > > > > mailbox cryptokey generate -u "${USER}" -U > /dev/null > > fi > > exec "$@" > > This work! But I want more good. By why execute each login? Possible has > > > > > > > generateKeys.sh execute in the times only of dovecot create mailbox > > (lda_mailbox_autocreate) instead? > > > > > > > > > > > > > > > --- > > > Aki Tuomi > > > > > > > > > > > > > ---Aki Tuomi> >
Reasonably Related Threads
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- bash script hook lda_mailbox_autocreate for generate mail-crypt user encrypted private key with user password
- Best mail encryption solution for per-user
- Best mail encryption solution for per-user