Serveria Support
2022-Sep-14 16:34 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Thanks for your help. Do you know in which folder the keys are stored? I'd like to check the permissions... On 2022-09-14 18:56, hi at zakaria.website wrote:> On 2022-09-14 16:04, Serveria Support wrote: >> Oh, I thought that section is for the global keys. I'm trying to use >> per-user/per-folder keys. I used this command: >> >> doveadm -o plugin/mail_crypt_private_password=xxxxxxxxxx mailbox >> cryptokey generate -u user at mydomain.xyz -URf >> >> >> >> On 2022-09-14 17:47, hi at zakaria.website wrote: >>> On 2022-09-14 15:11, Serveria Support wrote: >>>> How can I set the global private key in conf? I was following the >>>> official mail-crypt tutorial. This is what I have in dovecot.conf >>>> mail-crypt section: >>>> >>>> mail_crypt_curve = secp521r1 >>>> mail_crypt_save_version = 2 >>>> mail_crypt_require_encrypted_user_key = yes >>>> >>>> >>>> >>>> On 2022-09-14 17:23, hi at zakaria.website wrote: >>>>> On 2022-09-14 14:41, Serveria Support wrote: >>>>>> Hi, >>>>>> >>>>>> This log shows no errors. Running doveadm fetch command gives me >>>>>> this: >>>>>> >>>>>> doveadm(user at mydomain.xyz): Error: fetch(text) failed for >>>>>> box=INBOX uid=15: read() failed: >>>>>> read(/var/vmail/vmail1/mydomain.xyz/a/b/d/xxxxxxxx-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) >>>>>> failed: Private key not available: Cannot decrypt key >>>>>> fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: >>>>>> Cannot decrypt key >>>>>> 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: >>>>>> Password not available >>>>>> >>>>>> On 2022-09-13 14:43, hi at zakaria.website wrote: >>>>>>> On 2022-09-02 20:40, Serveria Support wrote: >>>>>>>> I tried it but it doesn't seem to make any difference at all. >>>>>>>> >>>>>>>> Can someone please assist me with reading logs? Does this log >>>>>>>> below mean Dovecot is trying to use master_user again or simply >>>>>>>> reading master_user password file? >>>>>>>> >>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret >>>>>>>> from /run/dovecot/auth-token-secret.dat >>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file >>>>>>>> /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs >>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected >>>>>>>> (pid=900284) >>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: client in: >>>>>>>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= >>>>>>>> (previous base64 data may contain sensitive data) >>>>>>>> >>>>>>>> Everything ok here? >>>>>>>> >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected >>>>>>>> (pid=899859) >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: client in: >>>>>>>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= >>>>>>>> (previous base64 data may contain sensitive data) >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing >>>>>>>> passdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling >>>>>>>> PASSV request >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing >>>>>>>> passdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: >>>>>>>> SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain >>>>>>>> WHERE mailbox.username='user1 at mydomain.xyz' AND >>>>>>>> mailbox.`enableimaptls`=1 AND mailbox.active=1 AND >>>>>>>> mailbox.domain=domain.domain AND domain.backupmx=0 AND >>>>>>>> domain.active=1 >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>> passdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>> passdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>> auth(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth >>>>>>>> request finished >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: >>>>>>>> OK#0111#011user=user1 at mydomain.xyz >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: master in: >>>>>>>> REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing >>>>>>>> userdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling >>>>>>>> USER request >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Performing >>>>>>>> userdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT >>>>>>>> LOWER(CONCAT(mailbox.storagebasedirectory, '/', >>>>>>>> mailbox.storagenode, '/', mailbox.maildir)) AS home, >>>>>>>> CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS >>>>>>>> mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule >>>>>>>> FROM mailbox,domain WHERE mailbox.username='user1 at mydomain.xyz' >>>>>>>> AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND >>>>>>>> mailbox.domain=domain.domain AND domain.backupmx=0 AND >>>>>>>> domain.active=1 >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>> userdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Finished >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>> userdb lookup >>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: master userdb out: >>>>>>>> USER#0111998585857#011user1 at mydomain.xyz#011home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/#011mail=maildir:~/Maildir#011quota_rule=*:bytes=1073741824#011auth_mech=PLAIN#011auth_token=fac9c351492fd6073176272c79ff65b1b3e87f37 >>>>>>>> >>>>>>>> Sep 2 15:25:34 mx dovecot: >>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: Added >>>>>>>> userdb setting: mail=maildir:~/Maildir >>>>>>>> Sep 2 15:25:34 mx dovecot: >>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: Added >>>>>>>> userdb setting: plugin/quota_rule=*:bytes=1073741824 >>>>>>>> Sep 2 15:25:34 mx dovecot: >>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>>>>>>> Effective uid=2000, gid=2000, >>>>>>>> home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/ >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> >>>>>>>> On 2022-09-02 20:08, dovecot at ptld.com wrote: >>>>>>>>>> password_query = SELECT \ >>>>>>>>>> username as user, password, \ >>>>>>>>>> '%w' AS userdb_mail_crypt_private_password \ >>>>>>>>>> FROM mailbox WHERE username="%u"; >>>>>>>>> >>>>>>>>> Try if using ' instead of " makes a difference. >>>>>>>>> FROM mailbox WHERE username='%u'; >>>>>>> >>>>>>> The logs doesn't show any errors? >>>>> >>>>> Private key not available? Isn't clear enough? >>>>> >>>>> Did you set the global private key in dovecot config? >>>>> >>>>> The error is saying the private key that meant to be used to >>>>> decrypt >>>>> emails is not found, thus it must be the path you set in mail crypt >>>>> plugin definition is incorrect or private key file have either >>>>> wrong >>>>> ownership or permissions. >>>>> >>>>> Notice it has to be in .pem format as well. >>> >>> Check RSA key section, in >>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#rsa-key > > Check the Base64-encoded Keys section, I think it says something about > query the pem content from DB per user. Also, search for " Setting up > individual encrypted user keys using mail-crypt-plugin " post in the > mailing list, it touches on which variable name needs to be passed in > the sql query for the user corresponding pub and priv key. > > Encoding in base64 the content of PEM files seems to be important > otherwise characters like % can cause problem in dovecot. I suggest to > store the keys already encoded to ease the process of handling. > > Zakaria.
hi at zakaria.website
2022-Sep-14 17:12 UTC
Dovecot mail-crypt webmail can't read encrypted messages
On 2022-09-14 17:34, Serveria Support wrote:> Thanks for your help. Do you know in which folder the keys are stored? > I'd like to check the permissions... > > On 2022-09-14 18:56, hi at zakaria.website wrote: >> On 2022-09-14 16:04, Serveria Support wrote: >>> Oh, I thought that section is for the global keys. I'm trying to use >>> per-user/per-folder keys. I used this command: >>> >>> doveadm -o plugin/mail_crypt_private_password=xxxxxxxxxx mailbox >>> cryptokey generate -u user at mydomain.xyz -URf >>> >>> >>> >>> On 2022-09-14 17:47, hi at zakaria.website wrote: >>>> On 2022-09-14 15:11, Serveria Support wrote: >>>>> How can I set the global private key in conf? I was following the >>>>> official mail-crypt tutorial. This is what I have in dovecot.conf >>>>> mail-crypt section: >>>>> >>>>> mail_crypt_curve = secp521r1 >>>>> mail_crypt_save_version = 2 >>>>> mail_crypt_require_encrypted_user_key = yes >>>>> >>>>> >>>>> >>>>> On 2022-09-14 17:23, hi at zakaria.website wrote: >>>>>> On 2022-09-14 14:41, Serveria Support wrote: >>>>>>> Hi, >>>>>>> >>>>>>> This log shows no errors. Running doveadm fetch command gives me >>>>>>> this: >>>>>>> >>>>>>> doveadm(user at mydomain.xyz): Error: fetch(text) failed for >>>>>>> box=INBOX uid=15: read() failed: >>>>>>> read(/var/vmail/vmail1/mydomain.xyz/a/b/d/xxxxxxxx-2022.09.09.05.52.29//Maildir/cur/1663034263.M491074P1457418.mx,S=2217,W=2266:2,S) >>>>>>> failed: Private key not available: Cannot decrypt key >>>>>>> fd98762c573b8c54805884838695bd5b7eaeb9e0b0d326434c2f63a95a905a89: >>>>>>> Cannot decrypt key >>>>>>> 10fed5d3e938ce19a20046b84f29e50a271f6404f0760037996b4cf2d1ecfeb7: >>>>>>> Password not available >>>>>>> >>>>>>> On 2022-09-13 14:43, hi at zakaria.website wrote: >>>>>>>> On 2022-09-02 20:40, Serveria Support wrote: >>>>>>>>> I tried it but it doesn't seem to make any difference at all. >>>>>>>>> >>>>>>>>> Can someone please assist me with reading logs? Does this log >>>>>>>>> below mean Dovecot is trying to use master_user again or simply >>>>>>>>> reading master_user password file? >>>>>>>>> >>>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: Read auth token secret >>>>>>>>> from /run/dovecot/auth-token-secret.dat >>>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: passwd-file >>>>>>>>> /etc/dovecot/dovecot-master-users: Read 1 users in 0 secs >>>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: auth client connected >>>>>>>>> (pid=900284) >>>>>>>>> Sep 2 15:35:33 mx dovecot: auth: Debug: client in: >>>>>>>>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=Vfxm1bbnRo9/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36678#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= >>>>>>>>> (previous base64 data may contain sensitive data) >>>>>>>>> >>>>>>>>> Everything ok here? >>>>>>>>> >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: auth client connected >>>>>>>>> (pid=899859) >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: client in: >>>>>>>>> AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=97OusbbnXI1/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=36188#011local_name=127.0.0.1#011resp=AHRlc3RvQG1haWxjaXRhZGVsLnh5egA0SFBYMWt0OSE= >>>>>>>>> (previous base64 data may contain sensitive data) >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>>>>>>>> Performing passdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Handling >>>>>>>>> PASSV request >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>>>>>>>> Performing passdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): query: >>>>>>>>> SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain >>>>>>>>> WHERE mailbox.username='user1 at mydomain.xyz' AND >>>>>>>>> mailbox.`enableimaptls`=1 AND mailbox.active=1 AND >>>>>>>>> mailbox.domain=domain.domain AND domain.backupmx=0 AND >>>>>>>>> domain.active=1 >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>>> passdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<3>: Finished >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>>> passdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>>> auth(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Auth >>>>>>>>> request finished >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: client passdb out: >>>>>>>>> OK#0111#011user=user1 at mydomain.xyz >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: master in: >>>>>>>>> REQUEST#0111998585857#011899859#0111#01131314e9e09e38b194a05b78bfe279780#011session_pid=899860#011request_auth_token >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>>>>>>>> Performing userdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Handling >>>>>>>>> USER request >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): >>>>>>>>> Performing userdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): SELECT >>>>>>>>> LOWER(CONCAT(mailbox.storagebasedirectory, '/', >>>>>>>>> mailbox.storagenode, '/', mailbox.maildir)) AS home, >>>>>>>>> CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS >>>>>>>>> mail, CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule >>>>>>>>> FROM mailbox,domain WHERE mailbox.username='user1 at mydomain.xyz' >>>>>>>>> AND mailbox.`enableimaptls`=1 AND mailbox.active=1 AND >>>>>>>>> mailbox.domain=domain.domain AND domain.backupmx=0 AND >>>>>>>>> domain.active=1 >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>>> userdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth-worker(899854): Debug: conn >>>>>>>>> unix:auth-worker (pid=899853,uid=110): auth-worker<4>: Finished >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: >>>>>>>>> sql(user1 at mydomain.xyz,127.0.0.1,<97OusbbnXI1/AAAB>): Finished >>>>>>>>> userdb lookup >>>>>>>>> Sep 2 15:25:34 mx dovecot: auth: Debug: master userdb out: >>>>>>>>> USER#0111998585857#011user1 at mydomain.xyz#011home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/#011mail=maildir:~/Maildir#011quota_rule=*:bytes=1073741824#011auth_mech=PLAIN#011auth_token=fac9c351492fd6073176272c79ff65b1b3e87f37 >>>>>>>>> >>>>>>>>> Sep 2 15:25:34 mx dovecot: >>>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>>>>>>>> Added userdb setting: mail=maildir:~/Maildir >>>>>>>>> Sep 2 15:25:34 mx dovecot: >>>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>>>>>>>> Added userdb setting: plugin/quota_rule=*:bytes=1073741824 >>>>>>>>> Sep 2 15:25:34 mx dovecot: >>>>>>>>> imap(user1 at mydomain.xyz)<899860><97OusbbnXI1/AAAB>: Debug: >>>>>>>>> Effective uid=2000, gid=2000, >>>>>>>>> home=/var/vmail/vmail1/mydomain.xyz/t/e/s/xxxxx-2022.08.30.06.07.08/ >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> On 2022-09-02 20:08, dovecot at ptld.com wrote: >>>>>>>>>>> password_query = SELECT \ >>>>>>>>>>> username as user, password, \ >>>>>>>>>>> '%w' AS userdb_mail_crypt_private_password \ >>>>>>>>>>> FROM mailbox WHERE username="%u"; >>>>>>>>>> >>>>>>>>>> Try if using ' instead of " makes a difference. >>>>>>>>>> FROM mailbox WHERE username='%u'; >>>>>>>> >>>>>>>> The logs doesn't show any errors? >>>>>> >>>>>> Private key not available? Isn't clear enough? >>>>>> >>>>>> Did you set the global private key in dovecot config? >>>>>> >>>>>> The error is saying the private key that meant to be used to >>>>>> decrypt >>>>>> emails is not found, thus it must be the path you set in mail >>>>>> crypt >>>>>> plugin definition is incorrect or private key file have either >>>>>> wrong >>>>>> ownership or permissions. >>>>>> >>>>>> Notice it has to be in .pem format as well. >>>> >>>> Check RSA key section, in >>>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#rsa-key >> >> Check the Base64-encoded Keys section, I think it says something about >> query the pem content from DB per user. Also, search for " Setting up >> individual encrypted user keys using mail-crypt-plugin " post in the >> mailing list, it touches on which variable name needs to be passed in >> the sql query for the user corresponding pub and priv key. >> >> Encoding in base64 the content of PEM files seems to be important >> otherwise characters like % can cause problem in dovecot. I suggest to >> store the keys already encoded to ease the process of handling. >> >> Zakaria.No problem. Sorry, I dont know but I recommend to check dovecot source code in the git repo.
> On 14/09/2022 19:34 EEST Serveria Support <support at serveria.com> wrote: > > > Thanks for your help. Do you know in which folder the keys are stored? > I'd like to check the permissions... >Some notes here, after reading this thread again: - Keys are stored in mail_attributes file, which depends on your config, but usually is %h/dovecot-attributes, which means it'll be in user's home directory. - The key format is Dovecot Dcrypt Key, you can use `doveadm mailbox cryptokey export` to export them in PEM format. Only **global keys** expect PEM formatted keys, which you are not using. - If you are using mail_crypt_private_password to encrypt the user key, you will need to provide this every time you want to access the user's emails, including using doveadm. Dovecot does not know what password you are using. - Your logs indicate that you are, still, using master userdb. This will not work. You cannot use master users with per-user encryption passwords in the way you do. If you want to use master users / master password, you must not encrypt the user key. - You should really focus on reading your logs, because they really do indicate that the userdb_mail_crypt_private_password is not exprted in anywhere, so clearly and obviously you are not able to access the mails. Maybe consider removing the master user authentication completely? Aki
Serveria Support
2022-Oct-08 20:49 UTC
Dovecot mail-crypt webmail can't read encrypted messages
Hi, I'm here with a follow-up. I have managed to fix this issue! I have rebuilt the entire project from scratch, using vanilla versions of Dovecot, Postfix, SOGO webmail etc and everything works as expected: emails are getting encrypted, I'm able to send, receive and read emails in webmail. I suspect the root of the issue was that I was using software package called iredmail. My guess is that all the master admin drama was caused by iredmail. Big thanks to you guys for the hints and ideas which eventually helped me troubleshoot this issue! I appreciate your assistance. P.S. Btw, is there any way to hide plain text passwords from Dovecot log files? Disabling auth debugging won't help as the system may get compromised and the intruder can re-enable logs and grab the passwords from the logs. The only person who should know/see the password in clear text should be the respective mail user. Is there any way to achieve this? On 2022-09-15 08:16, Aki Tuomi wrote:>> On 14/09/2022 19:34 EEST Serveria Support <support at serveria.com> >> wrote: >> >> >> Thanks for your help. Do you know in which folder the keys are stored? >> I'd like to check the permissions... >> > > > Some notes here, after reading this thread again: > > - Keys are stored in mail_attributes file, which depends on your > config, but usually is %h/dovecot-attributes, which means it'll be in > user's home directory. > > - The key format is Dovecot Dcrypt Key, you can use `doveadm mailbox > cryptokey export` to export them in PEM format. Only **global keys** > expect PEM formatted keys, which you are not using. > > - If you are using mail_crypt_private_password to encrypt the user > key, you will need to provide this every time you want to access the > user's emails, including using doveadm. Dovecot does not know what > password you are using. > > - Your logs indicate that you are, still, using master userdb. This > will not work. You cannot use master users with per-user encryption > passwords in the way you do. If you want to use master users / master > password, you must not encrypt the user key. > > - You should really focus on reading your logs, because they really do > indicate that the userdb_mail_crypt_private_password is not exprted in > anywhere, so clearly and obviously you are not able to access the > mails. > > Maybe consider removing the master user authentication completely? > > Aki