Hard to say. If you are logging is master_user, there will be different password than normal user. Usually. With your setup, you can only access user's mail if you are using the exact same password that the user was using. Your logs seem to indicate that you are logging as master_user, so you are probably unable to access mails. Aki> On 29/08/2022 10:51 EEST Serveria Support <support at serveria.com> wrote: > > > Emm, sorry for the confusion, there are two users authenticating - > master user "postmaster" and the second user called "test". I have just > obfuscated users by replacing usernames with myuser. So no, this > shouldn't be the issue. > > Any other suggestions? > > On 2022-08-29 10:30, Aki Tuomi wrote: > >> On 29/08/2022 09:26 EEST Serveria Support <support at serveria.com> > >> wrote: > >> > >> > >> It's a testing install my main goal is to make it work. I will play > >> around with password encryption before going live. > >> > >> I have enabled all possible debugging yet I can's see the value you > >> mentioned in the log file. Could you please point me? > >> > >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn > >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>: > >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT > >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE > >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 > >> AND > >> mailbox.active=1 AND mailbox.domain=domain.domain AND > >> domain.backupmx=0 > >> AND domain.active=1 > > > > it's not set here. > > > > > >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn > >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>: > >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT > >> LOWER('myuser at mydomain.xyz') AS master_user, > >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, > >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', > >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', > >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE > >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 > >> AND > >> mailbox.active=1 AND mailbox.domain=domain.domain AND > >> domain.backupmx=0 > >> AND domain.active=1 > > > > it's not set here either. > > > > So. You are doing master user login, and are wondering why user's > > password is not available? > > > > Master user logins are not really compatible with using user's > > password as encryption key. > > > > Aki > > > >> > >> On 2022-08-29 07:56, Aki Tuomi wrote: > >> >> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com> > >> >> wrote: > >> >> > >> >> > >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user > >> >> encryption. > >> >> > >> >> I have configured mail-crypt plugin as per official guide here: > >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ > >> >> > >> >> After that I created a user and an encrypted key by running this > >> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox > >> >> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc) > >> >> > >> >> I can log in to webmail (and Dovecot) just fine, emails are getting > >> >> sent > >> >> and delivered. I have also checked the storage and the messages seem > >> >> to > >> >> be stored encrypted. > >> >> > >> >> However, I can't read the emails in webmail (just headers can be seen) > >> >> and in Dovecot logs I can see the following error: > >> >> > >> >> failed: Private key not available: Cannot decrypt key ### Cannot > >> >> decrypt > >> >> key ### <8632: Password not available (FETCH RFC822.HEADER) > >> >> > >> >> There seems to be an issue with mySQL query. The query I'm using > >> >> (Select > >> >> username as "user", password,"%w" as > >> >> userdb_mail_crypt_private_password > >> >> from mailbox;) seems to work just fine, when run from mysql prompt it > >> >> outputs the usernames and passwords, but the error is still there > >> >> (Cannot decrypt key ### Password not available). > >> >> > >> >> Any ideas? What am I missing > >> > > >> > Hi! > >> > > >> > First of all, it's super-unsafe to use user's password like that as > >> > private password, at least run it through SHA256. This prevents > >> > dovecot from doing expansions on it by accident. > >> > > >> > Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and > >> > make sure the correct value gets added as > >> > 'plugin/mail_crypt_private_password' when using with webmail. > >> > > >> > Aki
Serveria Support
2022-Aug-29 13:30 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Upon closer review, it seems you're probably right: both users are in fact marked master_user. How is that possible? I haven't marked new user as a master_user. Are users marked master_user by default? What's even more interesting, /etc/dovecot/dovecot-master-users doesn't contain this user's data. Is it possible to unset this master_user flag somehow? I browsed through the db in mySQL but wasn't able to locate any master_users as well. Sorry for being such a noob... :) On 2022-08-29 11:33, Aki Tuomi wrote:> Hard to say. > > If you are logging is master_user, there will be different password > than normal user. Usually. With your setup, you can only access user's > mail if you are using the exact same password that the user was using. > > Your logs seem to indicate that you are logging as master_user, so you > are probably unable to access mails. > > Aki > > >> On 29/08/2022 10:51 EEST Serveria Support <support at serveria.com> >> wrote: >> >> >> Emm, sorry for the confusion, there are two users authenticating - >> master user "postmaster" and the second user called "test". I have >> just >> obfuscated users by replacing usernames with myuser. So no, this >> shouldn't be the issue. >> >> Any other suggestions? >> >> On 2022-08-29 10:30, Aki Tuomi wrote: >> >> On 29/08/2022 09:26 EEST Serveria Support <support at serveria.com> >> >> wrote: >> >> >> >> >> >> It's a testing install my main goal is to make it work. I will play >> >> around with password encryption before going live. >> >> >> >> I have enabled all possible debugging yet I can's see the value you >> >> mentioned in the log file. Could you please point me? >> >> >> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn >> >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>: >> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT >> >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE >> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 >> >> AND >> >> mailbox.active=1 AND mailbox.domain=domain.domain AND >> >> domain.backupmx=0 >> >> AND domain.active=1 >> > >> > it's not set here. >> > >> > >> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn >> >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>: >> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT >> >> LOWER('myuser at mydomain.xyz') AS master_user, >> >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, >> >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', >> >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', >> >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE >> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 >> >> AND >> >> mailbox.active=1 AND mailbox.domain=domain.domain AND >> >> domain.backupmx=0 >> >> AND domain.active=1 >> > >> > it's not set here either. >> > >> > So. You are doing master user login, and are wondering why user's >> > password is not available? >> > >> > Master user logins are not really compatible with using user's >> > password as encryption key. >> > >> > Aki >> > >> >> >> >> On 2022-08-29 07:56, Aki Tuomi wrote: >> >> >> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com> >> >> >> wrote: >> >> >> >> >> >> >> >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user >> >> >> encryption. >> >> >> >> >> >> I have configured mail-crypt plugin as per official guide here: >> >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ >> >> >> >> >> >> After that I created a user and an encrypted key by running this >> >> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox >> >> >> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc) >> >> >> >> >> >> I can log in to webmail (and Dovecot) just fine, emails are getting >> >> >> sent >> >> >> and delivered. I have also checked the storage and the messages seem >> >> >> to >> >> >> be stored encrypted. >> >> >> >> >> >> However, I can't read the emails in webmail (just headers can be seen) >> >> >> and in Dovecot logs I can see the following error: >> >> >> >> >> >> failed: Private key not available: Cannot decrypt key ### Cannot >> >> >> decrypt >> >> >> key ### <8632: Password not available (FETCH RFC822.HEADER) >> >> >> >> >> >> There seems to be an issue with mySQL query. The query I'm using >> >> >> (Select >> >> >> username as "user", password,"%w" as >> >> >> userdb_mail_crypt_private_password >> >> >> from mailbox;) seems to work just fine, when run from mysql prompt it >> >> >> outputs the usernames and passwords, but the error is still there >> >> >> (Cannot decrypt key ### Password not available). >> >> >> >> >> >> Any ideas? What am I missing >> >> > >> >> > Hi! >> >> > >> >> > First of all, it's super-unsafe to use user's password like that as >> >> > private password, at least run it through SHA256. This prevents >> >> > dovecot from doing expansions on it by accident. >> >> > >> >> > Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and >> >> > make sure the correct value gets added as >> >> > 'plugin/mail_crypt_private_password' when using with webmail. >> >> > >> >> > Aki