Hello, Can the mail_crypt "folder keys" feature be used with encrypted user keys in passwd-file without sql database? It seems that there is no guide in the docs. Best regards, narangd -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20200805/1878e415/attachment.html>
> On 05/08/2020 18:45 secure.light.0417.road <secure.light.0417.road at protonmail.com> wrote: > > > Hello, > > Can the?mail_crypt "folder keys" feature be used?with encrypted user keys in passwd-file without sql database? It seems that there is no guide in the docs. > > Best regards, > narangdDovecot stores folder and user keys into mail_attribute_dict. This does not have to be SQL database. You can also add `userdb_mail_crypt_private_password` into passwd-file to provide it if you use passwd-file as userdb. Aki
mail_crypt_private_password cannot be hashed, as it's used to encrypt the key. Aki> On 06/08/2020 10:06 secure.light.0417.road <secure.light.0417.road at protonmail.com> wrote: > > > I've tried to append the field "userdb_mail_crypt_private_password=<same-hashed-password-in-passwd-file>" to the end of each user line in userdb as passwd-file. And use the command below to generate keys. > > doveadm -o plugin/mail_crypt_private_password=<not-hashed-user-password> mailbox cryptokey generate -u <username> -U > > I confirmed mail encryption work properly. > > Also I've compared two "dovecot-attribute" files with and without "mail_crypt_require_encrypted_user_key = yes". Seemingly they have no difference. How to check that the private key in dovecot-attribute be encrypted properly? > > narangd > > Sent with ProtonMail Secure Email. > > ??????? Original Message ??????? > On Thursday, August 6, 2020 1:03 AM, Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > On 05/08/2020 18:45 secure.light.0417.road secure.light.0417.road at protonmail.com wrote: > > > Hello, > > > Can the?mail_crypt "folder keys" feature be used?with encrypted user keys in passwd-file without sql database? It seems that there is no guide in the docs. > > > Best regards, > > > narangd > > > > Dovecot stores folder and user keys into mail_attribute_dict. This does not have to be SQL database. > > > > You can also add `userdb_mail_crypt_private_password` into passwd-file to provide it if you use passwd-file as userdb. > > > > Aki
> On 06/08/2020 13:52 secure.light.0417.road <secure.light.0417.road at protonmail.com> wrote: > > > Ah, right. The hashed password can't be used to encrypt. > > I want to remove possibility to decrypt mails using materials in mail servers in VPS. I've thought about below scenario: > > 1. The client generates asymmetric keys in local. > 2. The client sends the public key to the dovecot in the mail server. > 3. The dovecot generates a symmetric key. > 4. The dovecot encrypts a received mail with the symmetric key. > 5. The dovecot also encrypts the symmetric key with the public key. > 6. The client get the mail and encrypted symmetric key from server into local and decrypts it using local private key. >You probably want to use PGP then.> Instead of 1 and 2, the way like "the dovecot generates all 3 and removes only private key", can be considered with docker image deployment.mail_crypt plugin is primarily intended to protect storage medium, and not end user as such. While it does support this, it's not perfect tool for it, and can be bit difficult to set up. Dovecot does not support client-supplied private keys.> > Is it possible with mail_crypt? > > narangd >Aki p.s. please keep responses on the list.
Seemingly Similar Threads
- mail_crypt folder keys without sql database
- [EXT] Re: mail_crypt folder keys without sql database
- [mail-crypt-plugin] Password Query for Folder Keys questions
- [Dovecot v2.3.9.3] HTTP API Endpoint for mailbox cryptokey operations
- Best mail encryption solution for per-user