Serveria Support
2022-Aug-29 13:30 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Upon closer review, it seems you're probably right: both users are in fact marked master_user. How is that possible? I haven't marked new user as a master_user. Are users marked master_user by default? What's even more interesting, /etc/dovecot/dovecot-master-users doesn't contain this user's data. Is it possible to unset this master_user flag somehow? I browsed through the db in mySQL but wasn't able to locate any master_users as well. Sorry for being such a noob... :) On 2022-08-29 11:33, Aki Tuomi wrote:> Hard to say. > > If you are logging is master_user, there will be different password > than normal user. Usually. With your setup, you can only access user's > mail if you are using the exact same password that the user was using. > > Your logs seem to indicate that you are logging as master_user, so you > are probably unable to access mails. > > Aki > > >> On 29/08/2022 10:51 EEST Serveria Support <support at serveria.com> >> wrote: >> >> >> Emm, sorry for the confusion, there are two users authenticating - >> master user "postmaster" and the second user called "test". I have >> just >> obfuscated users by replacing usernames with myuser. So no, this >> shouldn't be the issue. >> >> Any other suggestions? >> >> On 2022-08-29 10:30, Aki Tuomi wrote: >> >> On 29/08/2022 09:26 EEST Serveria Support <support at serveria.com> >> >> wrote: >> >> >> >> >> >> It's a testing install my main goal is to make it work. I will play >> >> around with password encryption before going live. >> >> >> >> I have enabled all possible debugging yet I can's see the value you >> >> mentioned in the log file. Could you please point me? >> >> >> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn >> >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>: >> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT >> >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE >> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 >> >> AND >> >> mailbox.active=1 AND mailbox.domain=domain.domain AND >> >> domain.backupmx=0 >> >> AND domain.active=1 >> > >> > it's not set here. >> > >> > >> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn >> >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>: >> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT >> >> LOWER('myuser at mydomain.xyz') AS master_user, >> >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, >> >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', >> >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', >> >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE >> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 >> >> AND >> >> mailbox.active=1 AND mailbox.domain=domain.domain AND >> >> domain.backupmx=0 >> >> AND domain.active=1 >> > >> > it's not set here either. >> > >> > So. You are doing master user login, and are wondering why user's >> > password is not available? >> > >> > Master user logins are not really compatible with using user's >> > password as encryption key. >> > >> > Aki >> > >> >> >> >> On 2022-08-29 07:56, Aki Tuomi wrote: >> >> >> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com> >> >> >> wrote: >> >> >> >> >> >> >> >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user >> >> >> encryption. >> >> >> >> >> >> I have configured mail-crypt plugin as per official guide here: >> >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ >> >> >> >> >> >> After that I created a user and an encrypted key by running this >> >> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox >> >> >> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc) >> >> >> >> >> >> I can log in to webmail (and Dovecot) just fine, emails are getting >> >> >> sent >> >> >> and delivered. I have also checked the storage and the messages seem >> >> >> to >> >> >> be stored encrypted. >> >> >> >> >> >> However, I can't read the emails in webmail (just headers can be seen) >> >> >> and in Dovecot logs I can see the following error: >> >> >> >> >> >> failed: Private key not available: Cannot decrypt key ### Cannot >> >> >> decrypt >> >> >> key ### <8632: Password not available (FETCH RFC822.HEADER) >> >> >> >> >> >> There seems to be an issue with mySQL query. The query I'm using >> >> >> (Select >> >> >> username as "user", password,"%w" as >> >> >> userdb_mail_crypt_private_password >> >> >> from mailbox;) seems to work just fine, when run from mysql prompt it >> >> >> outputs the usernames and passwords, but the error is still there >> >> >> (Cannot decrypt key ### Password not available). >> >> >> >> >> >> Any ideas? What am I missing >> >> > >> >> > Hi! >> >> > >> >> > First of all, it's super-unsafe to use user's password like that as >> >> > private password, at least run it through SHA256. This prevents >> >> > dovecot from doing expansions on it by accident. >> >> > >> >> > Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and >> >> > make sure the correct value gets added as >> >> > 'plugin/mail_crypt_private_password' when using with webmail. >> >> > >> >> > Aki
Serveria Support
2022-Aug-30 12:33 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Update: I managed to remove the master user query so users are not getting marked as master_user on login. However, that doesn't seem to affect anything. I'm still unable to read encoded emails in webmail. No new errors are showing up in the log. I have even created a brand new user and all new keys via doveadm but still no go. Any suggestions? On 2022-08-29 16:30, Serveria Support wrote:> Upon closer review, it seems you're probably right: both users are in > fact marked master_user. How is that possible? I haven't marked new > user as a master_user. Are users marked master_user by default? What's > even more interesting, /etc/dovecot/dovecot-master-users doesn't > contain this user's data. Is it possible to unset this master_user > flag somehow? I browsed through the db in mySQL but wasn't able to > locate any master_users as well. Sorry for being such a noob... :) > > On 2022-08-29 11:33, Aki Tuomi wrote: >> Hard to say. >> >> If you are logging is master_user, there will be different password >> than normal user. Usually. With your setup, you can only access user's >> mail if you are using the exact same password that the user was using. >> >> Your logs seem to indicate that you are logging as master_user, so you >> are probably unable to access mails. >> >> Aki >> >> >>> On 29/08/2022 10:51 EEST Serveria Support <support at serveria.com> >>> wrote: >>> >>> >>> Emm, sorry for the confusion, there are two users authenticating - >>> master user "postmaster" and the second user called "test". I have >>> just >>> obfuscated users by replacing usernames with myuser. So no, this >>> shouldn't be the issue. >>> >>> Any other suggestions? >>> >>> On 2022-08-29 10:30, Aki Tuomi wrote: >>> >> On 29/08/2022 09:26 EEST Serveria Support <support at serveria.com> >>> >> wrote: >>> >> >>> >> >>> >> It's a testing install my main goal is to make it work. I will play >>> >> around with password encryption before going live. >>> >> >>> >> I have enabled all possible debugging yet I can's see the value you >>> >> mentioned in the log file. Could you please point me? >>> >> >>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn >>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<1>: >>> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): query: SELECT >>> >> mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE >>> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 >>> >> AND >>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND >>> >> domain.backupmx=0 >>> >> AND domain.active=1 >>> > >>> > it's not set here. >>> > >>> > >>> >> Aug 29 01:46:30 mx dovecot: auth-worker(648543): Debug: conn >>> >> unix:auth-worker (pid=648542,uid=110): auth-worker<2>: >>> >> sql(myuser at mydomain.xyz,xx.xx.xx.xx,<Y+4ayVrnJ9VV/kpz>): SELECT >>> >> LOWER('myuser at mydomain.xyz') AS master_user, >>> >> LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, >>> >> '/', mailbox.maildir)) AS home, CONCAT(mailbox.mailboxformat, ':~/', >>> >> mailbox.mailboxfolder) AS mail, CONCAT('*:bytes=', >>> >> mailbox.quota*1048576) AS quota_rule FROM mailbox,domain WHERE >>> >> mailbox.username='myuser at mydomain.xyz' AND mailbox.`enableimaptls`=1 >>> >> AND >>> >> mailbox.active=1 AND mailbox.domain=domain.domain AND >>> >> domain.backupmx=0 >>> >> AND domain.active=1 >>> > >>> > it's not set here either. >>> > >>> > So. You are doing master user login, and are wondering why user's >>> > password is not available? >>> > >>> > Master user logins are not really compatible with using user's >>> > password as encryption key. >>> > >>> > Aki >>> > >>> >> >>> >> On 2022-08-29 07:56, Aki Tuomi wrote: >>> >> >> On 28/08/2022 09:20 EEST Serveria Support <support at serveria.com> >>> >> >> wrote: >>> >> >> >>> >> >> >>> >> >> I'm trying to setup Dovecot with mail-crypt plugin with per-user >>> >> >> encryption. >>> >> >> >>> >> >> I have configured mail-crypt plugin as per official guide here: >>> >> >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ >>> >> >> >>> >> >> After that I created a user and an encrypted key by running this >>> >> >> command: doveadm -o \plugin/mail_crypt_private_password=12345 mailbox >>> >> >> cryptokey generate -u mail at example.org -URf (replacing dummy data ofc) >>> >> >> >>> >> >> I can log in to webmail (and Dovecot) just fine, emails are getting >>> >> >> sent >>> >> >> and delivered. I have also checked the storage and the messages seem >>> >> >> to >>> >> >> be stored encrypted. >>> >> >> >>> >> >> However, I can't read the emails in webmail (just headers can be seen) >>> >> >> and in Dovecot logs I can see the following error: >>> >> >> >>> >> >> failed: Private key not available: Cannot decrypt key ### Cannot >>> >> >> decrypt >>> >> >> key ### <8632: Password not available (FETCH RFC822.HEADER) >>> >> >> >>> >> >> There seems to be an issue with mySQL query. The query I'm using >>> >> >> (Select >>> >> >> username as "user", password,"%w" as >>> >> >> userdb_mail_crypt_private_password >>> >> >> from mailbox;) seems to work just fine, when run from mysql prompt it >>> >> >> outputs the usernames and passwords, but the error is still there >>> >> >> (Cannot decrypt key ### Password not available). >>> >> >> >>> >> >> Any ideas? What am I missing >>> >> > >>> >> > Hi! >>> >> > >>> >> > First of all, it's super-unsafe to use user's password like that as >>> >> > private password, at least run it through SHA256. This prevents >>> >> > dovecot from doing expansions on it by accident. >>> >> > >>> >> > Secondly, enable mail_debug=yes and auth_debug=yes, run it again, and >>> >> > make sure the correct value gets added as >>> >> > 'plugin/mail_crypt_private_password' when using with webmail. >>> >> > >>> >> > Aki