Hi,
I tried to enable encrypted folder keys using mail-crypt-plugin.
It works as expected when using unencrypted folder keys.
When I add
mail_crypt_require_encrypted_user_key = yes
as shown below, I somehow manage to crash dovecot:
dovecot: lmtp(82060): Fatal: master: service(lmtp):
child 82060 killed with signal 6 (core not dumped -
https://dovecot.org/bugreport.html#coredumps -
set service lmtp { drop_priv_before_exec=yes })
dovecot: lmtp(67814): Panic: file mail-user.c: line 229 (mail_user_deinit):
assertion failed: ((*user)->refcount== 1)
lmtp(root): Info: msgid=<07e3a23b2aaea60b at mx.2718282.net>:
save failed to INBOX: generate_keypair(INBOX) failed:
mail_crypt_require_encrypted_user_key set,
cannot generate user keypair without password or key
My config files:
# 2.3.14 (cee3cbc0d): /etc/mail/imap.conf
# OS: OpenBSD 6.9 amd64
auth_verbose = yes
debug_log_path = /var/log/dovecot
info_log_path = /var/log/dovecot
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_debug = yes
namespace inbox {
...
}
passdb {
args = /etc/mail/imap-sqlite.conf
driver = sql
}
plugin {
mail_crypt_curve = secp521r1
mail_crypt_require_encrypted_user_key = yes
mail_crypt_save_version = 2
}
protocols = imap lmtp
service imap-login {
...
}
ssl = required
ssl_cert = </etc/ssl/rsa.crt
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/mail/imap-sqlite.conf
driver = sql
override_fields = uid=vmail gid=vmail
}
# file: /etc/mail/imap-sqlite.conf
driver = sqlite
connect = /etc/mail/sqlite.db
default_pass_scheme = BLF-CRYPT
user_query = SELECT '/home/vmail/'||destination AS home FROM virtuals
WHERE email = '%u'
password_query = SELECT email as user, password, '%w' AS \
userdb_mail_crypt_private_password FROM credentials WHERE email = '%u'
Hi! This is because you do not have private password set during delivery. To use this feature like this you need to make sure the user keys are generated using doveadm mail cryptokey generate -u user -U before delivery. Aki> On 28/05/2021 12:54 Daniel Schuermann <dovecot at 2718282.net> wrote: > > > Hi, > > I tried to enable encrypted folder keys using mail-crypt-plugin. > It works as expected when using unencrypted folder keys. > When I add > > mail_crypt_require_encrypted_user_key = yes > > as shown below, I somehow manage to crash dovecot: > > dovecot: lmtp(82060): Fatal: master: service(lmtp): > child 82060 killed with signal 6 (core not dumped - > https://dovecot.org/bugreport.html#coredumps - > set service lmtp { drop_priv_before_exec=yes }) > > dovecot: lmtp(67814): Panic: file mail-user.c: line 229 (mail_user_deinit): > assertion failed: ((*user)->refcount== 1) > > lmtp(root): Info: msgid=<07e3a23b2aaea60b at mx.2718282.net>: > save failed to INBOX: generate_keypair(INBOX) failed: > mail_crypt_require_encrypted_user_key set, > cannot generate user keypair without password or key > > My config files: > > # 2.3.14 (cee3cbc0d): /etc/mail/imap.conf > # OS: OpenBSD 6.9 amd64 > auth_verbose = yes > debug_log_path = /var/log/dovecot > info_log_path = /var/log/dovecot > mail_attribute_dict = file:%h/Maildir/dovecot-attributes > mail_debug = yes > namespace inbox { > ... > } > passdb { > args = /etc/mail/imap-sqlite.conf > driver = sql > } > plugin { > mail_crypt_curve = secp521r1 > mail_crypt_require_encrypted_user_key = yes > mail_crypt_save_version = 2 > } > protocols = imap lmtp > service imap-login { > ... > } > ssl = required > ssl_cert = </etc/ssl/rsa.crt > ssl_key = # hidden, use -P to show it > ssl_min_protocol = TLSv1.2 > ssl_prefer_server_ciphers = yes > userdb { > args = /etc/mail/imap-sqlite.conf > driver = sql > override_fields = uid=vmail gid=vmail > } > > # file: /etc/mail/imap-sqlite.conf > driver = sqlite > connect = /etc/mail/sqlite.db > default_pass_scheme = BLF-CRYPT > user_query = SELECT '/home/vmail/'||destination AS home FROM virtuals WHERE email = '%u' > password_query = SELECT email as user, password, '%w' AS \ > userdb_mail_crypt_private_password FROM credentials WHERE email = '%u'