Serveria Support
2022-Aug-28 06:20 UTC
Dovecot mail-crypt webmail can't read encrypted messages
I'm trying to setup Dovecot with mail-crypt plugin with per-user encryption. I have configured mail-crypt plugin as per official guide here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ After that I created a user and an encrypted key by running this command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox cryptokey generate -u mail at example.org -URf (replacing dummy data ofc) I can log in to webmail (and Dovecot) just fine, emails are getting sent and delivered. I have also checked the storage and the messages seem to be stored encrypted. However, I can't read the emails in webmail (just headers can be seen) and in Dovecot logs I can see the following error: failed: Private key not available: Cannot decrypt key ### Cannot decrypt key ### <8632: Password not available (FETCH RFC822.HEADER) There seems to be an issue with mySQL query. The query I'm using (Select username as "user", password,"%w" as userdb_mail_crypt_private_password from mailbox;) seems to work just fine, when run from mysql prompt it outputs the usernames and passwords, but the error is still there (Cannot decrypt key ### Password not available). Any ideas? What am I missing?
> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com> wrote: > > > I'm trying to setup Dovecot with mail-crypt plugin with per-user > encryption. > > I have configured mail-crypt plugin as per official guide here: > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ > > After that I created a user and an encrypted key by running this > command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox > cryptokey generate -u mail at example.org -URf (replacing dummy data ofc) > > I can log in to webmail (and Dovecot) just fine, emails are getting sent > and delivered. I have also checked the storage and the messages seem to > be stored encrypted. > > However, I can't read the emails in webmail (just headers can be seen) > and in Dovecot logs I can see the following error: > > failed: Private key not available: Cannot decrypt key ### Cannot decrypt > key ### <8632: Password not available (FETCH RFC822.HEADER) > > There seems to be an issue with mySQL query. The query I'm using (Select > username as "user", password,"%w" as userdb_mail_crypt_private_password > from mailbox;) seems to work just fine, when run from mysql prompt it > outputs the usernames and passwords, but the error is still there > (Cannot decrypt key ### Password not available). > > Any ideas? What am I missingHi! First of all, it's super-unsafe to use user's password like that as private password, at least run it through SHA256. This prevents dovecot from doing expansions on it by accident. Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and make sure the correct value gets added as 'plugin/mail_crypt_private_password' when using with webmail. Aki