Hgm. You have userdb lookups enabled, why not just move the entire
mail_crypt_private_password handling there instead of passdb? This way it'll
work with LMTP/LDA as well.
So move all user related fields to the userdb lookup, and keep only the
authentication handling in passdb.
In your configuration, passdb lookups are not done for LMTP/LDA etc.
Aki
> On 31/01/2022 12:00 Max Kostikov <max at kostikov.co> wrote:
>
>
> Unfortunately there are no "master out" entries in the log, but I
have
> "userdb out"
>
> Jan 31 09:56:40 example.com dovecot: auth: Debug: master userdb out:
> USER#0111609564161#011max.kostikov at
gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=<hidden>#011auth_mech=XOAUTH2#011auth_token=a8a38b3119780448ae96debd5687df75f5043378
>
>
> Aki Tuomi ?????(?) 2022-01-31 11:47:
> > Was the field present in auth debug logs, it should be shown in the
> > "master out" log line and also it should be visible on
mail_debug=yes
> > logs as `plugin/mail_crypt_private_key_password`.
> >
> > Aki
> >
> >> On 31/01/2022 11:40 Max Kostikov <max at kostikov.co> wrote:
> >>
> >>
> >> Unfortunatelly I still get decryption error with "Password
not
> >> available"
> >>
> >> ...
> >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com
dovecot:
> >> imap(max.kostikov at
gmail.com)<22267><59cRjt3Wbtx/AAAB>: Error: Mailbox
> >> INBOX: UID=1: read() failed:
> >>
read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> >> failed: Private key not available: Cannot decrypt key
> >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> Cannot
> >> decrypt key
> >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >> Password not available
> >> Jan 31 09:39:03 dev-message-portal-08.healthycareservice.com
dovecot:
> >> imap(max.kostikov at
gmail.com)<22267><59cRjt3Wbtx/AAAB>: Disconnected:
> >> FETCH failed: Mailbox INBOX: UID=1: read() failed:
> >>
read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.dev-message-portal-08.healthycareservice.com,S=2140,W=2193:2,S)
> >> failed: Private key not available: Cannot decrypt key
> >> 34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> Cannot
> >> decrypt key
> >> 98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >> Password not available in=463 out=1872 deleted=0 expunged=0
trashed=0
> >> hdr_count=1 hdr_bytes=115 body_count=0 body_bytes=0
> >>
> >>
> >> Aki Tuomi ?????(?) 2022-01-31 11:33:
> >> > try adding
> >> >
> >> > result_success = continue-ok
> >> >
> >> > to the oauth2 database.
> >> >
> >> > Aki
> >> >
> >> >> On 31/01/2022 11:27 Max Kostikov <max at
kostikov.co> wrote:
> >> >>
> >> >>
> >> >> Aki, thanks for your hint.
> >> >> Unfortunatelly I can't get this work.
> >> >> Here is my configuration.
> >> >>
> >> >> auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
> >> >> passdb {
> >> >> driver = oauth2
> >> >> mechanisms = xoauth2 oauthbearer
> >> >> args = /etc/dovecot/dovecot-oauth2.conf.ext
> >> >> }
> >> >> passdb {
> >> >> driver = sql
> >> >> skip = unauthenticated
> >> >> args = /etc/dovecot/dovecot-sql-encryption.conf.ext
> >> >> }
> >> >> passdb {
> >> >> skip = authenticated
> >> >> driver = sql
> >> >> args = /etc/dovecot/dovecot-sql.conf.ext
> >> >> }
> >> >> userdb {
> >> >> driver = sql
> >> >> args = /etc/dovecot/dovecot-sql.conf.ext
> >> >> }
> >> >>
> >> >> * In the dovecot-oauth2.conf.ext I have typical Google
configuration.
> >> >>
> >> >> * dovecot-sql-encryption.conf.ext contains only SQL query
for
> >> >> password:
> >> >>
> >> >> password_query = \
> >> >> SELECT \
> >> >> 150 AS userdb_uid, 8 AS userdb_gid, \
> >> >> SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password, \
> >> >> 'Y' AS noauthenticate \
> >> >> FROM mailbox WHERE username = '%u'
> >> >>
> >> >> * dovecot-sql.conf.ext contains normal password
authentication
> >> >> queries:
> >> >>
> >> >> password_query = \
> >> >> SELECT username AS user, password, \
> >> >> 150 AS userdb_uid, 8 AS userdb_gid, \
> >> >> SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password \
> >> >> FROM mailbox WHERE username = '%u'
> >> >> AND active = '1'
> >> >>
> >> >> user_query = \
> >> >> SELECT \
> >> >> CONCAT('/var/vmail/', LCASE(maildir)) AS home,
\
> >> >> CONCAT('maildir:/var/vmail/', LCASE(maildir))
AS mail, \
> >> >> 150 AS uid, 8 AS gid,
concat('dirsize:storage=', quota) AS quota, \
> >> >> SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password \
> >> >> FROM mailbox WHERE username = '%u'
> >> >> AND active = '1'
> >> >>
> >> >> iterate_query = \
> >> >> SELECT username AS user FROM mailbox
> >> >>
> >> >> It seems now dovecot-sql-encryption.conf.ext is not
invoked
> >> >>
> >> >> Jan 31 09:11:45 example.com dovecot: imap-login: Login:
> >> >> user=<max.kostikov at gmail.com>, method=XOAUTH2,
rip=127.0.0.1,
> >> >> lip=127.0.0.1, mpid=22615, TLS,
session=<XtdzLN3WnMl/AAAB>
> >> >> Jan 31 09:11:45 example.com dovecot: auth: Debug: client
in:
> >> >>
AUTH#0111#011XOAUTH2#011service=imap#011secured=tls#011session=56F7LN3Wnsl/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=51614#011local_name=example.com#011resp=<hidden>
> >> >> Jan 31 09:11:45 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Performing passdb
> >> >> lookup
> >> >> Jan 31 09:11:45 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Making token
> >> >> validation lookup to
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token> >>
>> Jan 31 09:11:45 example.com dovecot: auth: Debug: http-client[1]:
> >> >> queue
> >> >> https://www.googleapis.com:443: Using existing connection
to
> >> >> 172.253.63.95:443 (SSL=www.googleapis.com) (1 requests
pending)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
> >> >> Submitted (requests left=1)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]: peer
> >> >> 172.253.63.95:443: Using 1 idle connections to handle 1
requests (1
> >> >> total connections ready)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> queue
> >> >> https://www.googleapis.com:443: Connection to peer
172.253.63.95:443
> >> >> claimed request [Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: Claimed request [Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
> >> >> Sent header
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]: peer
> >> >> 172.253.63.95:443: No more requests to service for this
peer (1
> >> >> connections exist, 0 pending)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: Got 200 response for request
[Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
> >> >> OK (took 20 ms + 0 ms in queue)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Token validation
> >> >> succeeded
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> azp
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> aud
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> sub
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> scope
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> exp
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> expires_in
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> email
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> email_verified
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> access_type
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Making
> >> >> introspection
> >> >> request to https://www.googleapis.com/oauth2/v2/userinfo
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> queue
> >> >> https://www.googleapis.com:443: Using existing connection
to
> >> >> 172.253.63.95:443 (SSL=www.googleapis.com) (1 requests
pending)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req10: GET
https://www.googleapis.com/oauth2/v2/userinfo]:
> >> >> Submitted (requests left=2)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: Response payload stream destroyed
(0 ms after
> >> >> initial response)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
> >> >> Finished
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> queue
> >> >> https://www.googleapis.com:443: Dropping request [Req9:
GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req9: GET
> >> >>
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI]:
> >> >> Free (requests left=2)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]: peer
> >> >> 172.253.63.95:443: Using 1 idle connections to handle 1
requests (1
> >> >> total connections ready)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> queue
> >> >> https://www.googleapis.com:443: Connection to peer
172.253.63.95:443
> >> >> claimed request [Req10: GET
> >> >> https://www.googleapis.com/oauth2/v2/userinfo]
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: Claimed request [Req10: GET
> >> >> https://www.googleapis.com/oauth2/v2/userinfo]
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req10: GET
https://www.googleapis.com/oauth2/v2/userinfo]:
> >> >> Sent
> >> >> header
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]: peer
> >> >> 172.253.63.95:443: No more requests to service for this
peer (1
> >> >> connections exist, 0 pending)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: Got 200 response for request
[Req10: GET
> >> >> https://www.googleapis.com/oauth2/v2/userinfo]: OK (took
57 ms + 0 ms
> >> >> in
> >> >> queue)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Introspection
> >> >> succeeded
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> id
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> email
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> verified_email
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> name
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> given_name
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> family_name
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> picture
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Processing field
> >> >> locale
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> oauth2(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Finished passdb
> >> >> lookup
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> auth(foo at
gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>): Auth request
> >> >> finished
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug: client
passdb out:
> >> >> OK#0111#011user=foo at
gmail.com#011token=ya29.A0ARrdaM_UsPVyxGVJ2aSHPS0D7gnONiuBcEF5CyUwFhnd6nq94c4T1PAWQeUE5IItCIwLb90QpkNLduHD8_vkeka7j6m574SP3gbg114lopTrmPZmHBIpDzaj2w-JqlV0bkFCT7jKqd5UHWXrRIAdqS0ksDCI
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: Response payload stream destroyed
(0 ms after
> >> >> initial response)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req10: GET
https://www.googleapis.com/oauth2/v2/userinfo]:
> >> >> Finished
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> queue
> >> >> https://www.googleapis.com:443: Dropping request [Req10:
GET
> >> >> https://www.googleapis.com/oauth2/v2/userinfo]
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: host
> >> >> www.googleapis.com: Host is idle (timeout = 1786062
msecs)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]:
> >> >> request [Req10: GET
https://www.googleapis.com/oauth2/v2/userinfo]:
> >> >> Free
> >> >> (requests left=1)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client[1]: peer
> >> >> 172.253.63.95:443: No requests to service for this peer
(1 connections
> >> >> exist, 0 pending)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
http-client: conn
> >> >> 172.253.63.95:443 [1]: No more requests queued; going
idle (timeout > >> >> 60000 msecs)
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug: master
in:
> >> >>
REQUEST#0113880255489#01122604#0111#0117acd1216a7041ddbdf7b563a2bc10dd1#011session_pid=22629#011request_auth_token
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> sql(foo at gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>):
Performing userdb
> >> >> lookup
> >> >> Jan 31 09:11:46 example.com dovecot: auth-worker(22005):
Debug: conn
> >> >> unix:auth-worker (pid=22001,uid=113):
auth-worker<19>: Handling USER
> >> >> request
> >> >> Jan 31 09:11:46 example.com dovecot: auth-worker(22005):
Debug: conn
> >> >> unix:auth-worker (pid=22001,uid=113):
auth-worker<19>:
> >> >> sql(foo at gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>):
Performing userdb
> >> >> lookup
> >> >> Jan 31 09:11:46 example.com dovecot: auth-worker(22005):
Debug: conn
> >> >> unix:auth-worker (pid=22001,uid=113):
auth-worker<19>:
> >> >> sql(foo at gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>):
SELECT
> >> >> CONCAT('/var/vmail/', LCASE(maildir)) AS home,
> >> >> CONCAT('maildir:/var/vmail/', LCASE(maildir)) AS
mail, 150 AS uid, 8
> >> >> AS
> >> >> gid, concat('dirsize:storage=', quota) AS quota,
SHA2(CONCAT(username,
> >> >> random_key), 256) AS userdb_mail_crypt_private_password
FROM mailbox
> >> >> WHERE username = 'foo at gmail.com'
> >> >> Jan 31 09:11:46 example.com dovecot: auth-worker(22005):
Debug:
> >> >> mysql(localhost): Finished query 'SELECT
CONCAT('/var/vmail/',
> >> >> LCASE(maildir)) AS home,
CONCAT('maildir:/var/vmail/', LCASE(maildir))
> >> >> AS mail, 150 AS uid, 8 AS gid,
concat('dirsize:storage=', quota) AS
> >> >> quota, SHA2(CONCAT(username, random_key), 256) AS
> >> >> userdb_mail_crypt_private_password FROM mailbox WHERE
username > >> >> 'foo at gmail.com'' in 8 msecs
> >> >> Jan 31 09:11:46 example.com dovecot: auth-worker(22005):
Debug: conn
> >> >> unix:auth-worker (pid=22001,uid=113):
auth-worker<19>:
> >> >> sql(foo at gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>):
Finished userdb
> >> >> lookup
> >> >> Jan 31 09:11:46 example.com dovecot: auth-worker(22005):
Debug: conn
> >> >> unix:auth-worker (pid=22001,uid=113):
auth-worker<19>: Finished
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug:
> >> >> sql(foo at gmail.com,127.0.0.1,<56F7LN3Wnsl/AAAB>):
Finished userdb
> >> >> lookup
> >> >> Jan 31 09:11:46 example.com dovecot: auth: Debug: master
userdb out:
> >> >> USER#0113880255489#011foo at
gmail.com#011home=/var/vmail/gmail.com/max.kostikov/#011mail=maildir:/var/vmail/gmail.com/max.kostikov/#011uid=150#011gid=8#011quota=dirsize:storage=0#011userdb_mail_crypt_private_password=<hidden>#011auth_mech=XOAUTH2#011auth_token=cd1adb77645bc681e152d945b5617ef602b29fb7
> >> >> Jan 31 09:11:46 example.com dovecot: imap-login: Login:
> >> >> user=<foo at gmail.com>, method=XOAUTH2,
rip=127.0.0.1, lip=127.0.0.1,
> >> >> mpid=22629, TLS, session=<56F7LN3Wnsl/AAAB>
> >> >> Jan 31 09:11:46 example.com dovecot:
> >> >> imap(foo at
gmail.com)<22615><XtdzLN3WnMl/AAAB>: Error: Mailbox INBOX:
> >> >> UID=1: read() failed:
> >> >>
read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.example.com,S=2140,W=2193:2,S)
> >> >> failed: Private key not available: Cannot decrypt key
> >> >>
34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> >> Cannot
> >> >> decrypt key
> >> >>
98ae0f998f9139ebe20a97de77f162dcdeed496e38c9b5910186f999f3ef66c8:
> >> >> Password not available (FETCH BODY[HEADER])
> >> >> Jan 31 09:11:46 example.com dovecot:
> >> >> imap(foo at
gmail.com)<22615><XtdzLN3WnMl/AAAB>: Disconnected: FETCH
> >> >> read()
> >> >> failed in=57 out=800 deleted=0 expunged=0 trashed=0
hdr_count=1
> >> >> hdr_bytes=0 body_count=0 body_bytes=0
> >> >>
> >> >> I've tried to add
> >> >>
> >> >> pass_attrs > >> >>
userdb_mail_crypt_private_password=%{userdb:userdb_mail_crypt_private_password}
> >> >>
> >> >> into the pass_attrs > >> >>
userdb_mail_crypt_private_password=%{userdb:mail_crypt_private_password}
> >> >> but it looks like no correct key decrypt password passed
> >> >>
> >> >> ...
> >> >> Jan 31 09:10:49 example.com dovecot:
> >> >> imap(foo at
gmail.com)<20613><HVcHKd3W9sh/AAAB>: Error: Mailbox INBOX:
> >> >> UID=1: read() failed:
> >> >>
read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.example.com,S=2140,W=2193:2,S)
> >> >> failed: Private key not available: Cannot decrypt key
> >> >>
34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> >> error:03070068:bignum routines:BN_mpi2bn:encoding error
(FETCH
> >> >> BODY[HEADER])
> >> >> Jan 31 09:10:50 example.com dovecot:
> >> >> imap(foo at
gmail.com)<20631><cuIWKd3W+Mh/AAAB>: Error: Mailbox INBOX:
> >> >> UID=1: read() failed:
> >> >>
read(/var/vmail/gmail.com/max.kostikov/cur/1643481212.M353350P24555.example.com,S=2140,W=2193:2,S)
> >> >> failed: Private key not available: Cannot decrypt key
> >> >>
34255c3a029dc86ba4f07fa9bae2e87e4254de1d582f220a99b46f20bd382870:
> >> >> error:03070068:bignum routines:BN_mpi2bn:encoding error
> >> >>
> >> >>
> >> >> Aki Tuomi ?????(?) 2022-01-31 08:34:
> >> >> >> On 28/01/2022 21:27 Max Kostikov <max at
kostikov.co> wrote:
> >> >> >>
> >> >> >>
> >> >> >> We currently use Dovecot and mailbox encryption
via the
> >> >> >> mail-crypt-plugin.
> >> >> >> With standard password authentication, we set
the value of the
> >> >> >> individual
> >> >> >> password to encrypt the contents of the
> >> >> >> userdb_mail_crypt_private_password
> >> >> >> mailbox in the SQL query.
> >> >> >> Is it possible to set the
userdb_mail_crypt_private_password value
> >> >> >> when
> >> >> >> authenticating via OAUTH2 ?
> >> >> >>
> >> >> >> --
> >> >> >> Best regards,
> >> >> >> Max Kostikov
> >> >> >
> >> >> > You probably want to split your passdb drivers into
two, one which
> >> >> > does the authentication and second which populates
the private
> >> >> > password value. This way it should work correctly on
both cases.
> >> >> >
> >> >> > passdb {
> >> >> > driver = sql
> >> >> > skip = unauthenticated
> >> >> > ...
> >> >> > }
> >> >> >
> >> >> > and ensure your return in this sql query
`'Y' as noauthenticate'`
> >> >> >
> >> >> > Aki
> >> >>
> >> >> --
> >> >> Best regards,
> >> >> Max Kostikov
> >> >>
> >> >> W: https://kostikov.co | E: max at kostikov.co | T:
+7(952)7927000
> >>
> >> --
> >> Best regards,
> >> Max Kostikov
> >>
> >> W: https://kostikov.co | E: max at kostikov.co | T: +7(952)7927000
>
> --
> Best regards,
> Max Kostikov
>
> W: https://kostikov.co | E: max at kostikov.co | T: +7(952)7927000