Baljeet Bhinder
2023-Jan-08 16:55 UTC
Dovecot - mail_crypt - lmtp-server - no password to decrypt the key
I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin lately. I tried what is describe here https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ and I went for global-keys as described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys /"A good solution for environments where no user folder sharing is needed is to generate per-user EC key pair and encrypt that with something derived from user?s password."/ I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key" As you can see below in logs that it was able to set all other mail_crypt_ configurations successfully from user_query. However, the password is provided via password_query and I assume lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach correct to begin with? -- Dovecot Configurations -- # using doveconf -n # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS # Hostname: mailserver-dovecot-7c9ff7b94b-8ldrr auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = yes debug_log_path = /dev/stdout haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24 10.10.30.0/24 172.17.0.1/16 hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local info_log_path = /dev/stdout listen = * log_path = /dev/stdout mail_debug = yes mail_gid = 1000 mail_home = /var/vmail/mailboxes/%d/%n mail_location = maildir:~/:LAYOUT=fs mail_plugins = quota mail_crypt mail_privileged_group = mail mail_uid = 1000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { ? inbox = yes ? location ? mailbox Drafts { ??? auto = subscribe ??? special_use = \Drafts ? } ? mailbox Sent { ??? auto = subscribe ??? special_use = \Sent ? } ? mailbox "Sent Messages" { ??? special_use = \Sent ? } ? mailbox Spam { ??? auto = subscribe ??? autoexpunge = 30 days ??? special_use = \Junk ? } ? mailbox Trash { ??? auto = subscribe ??? autoexpunge = 30 days ??? special_use = \Trash ? } ? prefix } passdb { ? args = /etc/dovecot/dovecot-sql.conf.ext ? driver = sql } plugin { ? imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve ? imapsieve_mailbox1_causes = COPY APPEND FLAG ? imapsieve_mailbox1_name = Spam ? imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve ? imapsieve_mailbox2_causes = COPY APPEND FLAG ? imapsieve_mailbox2_from = Spam ? imapsieve_mailbox2_name = * ? mail_crypt_save_version = 0 ? quota = maildir:User quota ? quota_exceeded_message = User %u has exhausted allowed storage space. ? quota_rule = Junk:ignore ? quota_rule2 = Trash:storage=+100M ? quota_warning = storage=90%% quota-warning 90 %u %d ? quota_warning2 = storage=80%% quota-warning 80 %u %d ? sieve = file:~/sieve;active=~/.dovecot.sieve ? sieve_before = /var/vmail/sieve/global/spam-global.sieve ? sieve_global = /var/vmail/sieve/global/ ? sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug ? sieve_pipe_bin_dir = /var/vmail/sieve/global ? sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = " imap lmtp sieve pop3" service auth { ? inet_listener { ??? port = 25252 ? } } service imap-login { ? inet_listener imap { ??? haproxy = yes ? } ? inet_listener imaps { ??? haproxy = yes ??? ssl = yes ? } } service lmtp { ? executable = lmtp -L ? inet_listener lmtp { ??? address = 0.0.0.0 ??? port = 24 ? } } service managesieve-login { ? inet_listener sieve { ??? port = 4190 ? } } service pop3-login { ? inet_listener pop3 { ??? haproxy = yes ? } ? inet_listener pop3s { ??? haproxy = yes ? } } ssl = required ssl_cert = </etc/dovecot/certs/tls.crt ssl_client_ca_dir = /etc/ssl/certs ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { ? args = /etc/dovecot/dovecot-sql.conf.ext ? driver = sql } protocol lmtp { ? info_log_path = /dev/stdout ? log_path = /dev/stdout ? mail_plugins = quota mail_crypt sieve ? postmaster_address = <hidden> } protocol imap { ? mail_plugins = quota mail_crypt quota imap_quota imap_sieve } -- Dovecot Configurations Ends -- -- Password Query -- password_query = \ ??? SELECT username, domain, password, \ ??? '%{sha256:password}' AS userdb_mail_crypt_global_private_key_password \ ??? FROM mailbox \ ??? WHERE username='%u'; -- Password Query Ends-- -- User Query -- user_query = SELECT CONCAT('*:bytes=', 1024) as quota_rule, \ ??? private_key AS mail_crypt_global_private_key, \ ??? public_key AS mail_crypt_global_public_key, \ ??? mail_crypt_save_version AS mail_crypt_save_version \ ??? FROM mailbox \ ??? WHERE username='%u'; -- User Query Ends -- -- Debug Logs -- --- Load Inbox --- imap-login: Info: Login: user=<someone at example.com>, method=PLAIN, rip=192.168.49.1, lip=192.168.49.2, mpid=241, TLS, session=<oaoI9sLxVKXAqDEB> imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Loading modules from directory: /usr/lib/dovecot/modules imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_mail_crypt_plugin.so imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Module loaded: /usr/lib/dovecot/modules/lib95_imap_sieve_plugin.so imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb setting: plugin/mail_crypt_global_private_key_password=<hidden> imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg=imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb setting: plugin/mail_crypt_save_version=2 imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1024000000 imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota root: name=User quota backend=maildir argsimap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota rule: root=User quota mailbox=* bytes=1024000000 messages=0 imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota rule: root=User quota mailbox=Trash bytes=+104857600 messages=0 imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota warning: bytes=921600000 (90%) messages=0 reverse=no command=quota-warning 90 someone at example.com example.com imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota warning: bytes=819200000 (80%) messages=0 reverse=no command=quota-warning 80 someone at example.com example.com imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Quota grace: root=User quota bytes=102400000 (10%) imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: open(/proc/self/io) failed: Permission denied imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/:LAYOUT=fs imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: fs: root=/var/vmail/mailboxes/example.com/someone, index=, indexpvt=, control=, inbox=/var/vmail/mailboxes/example.com/someone, altimap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: quota: quota_over_flag check: quota_over_script unset - skipping imap(someone at example.com)<241><oaoI9sLxVKXAqDEB>: Debug: Mailbox INBOX: Mailbox opened --- Load Inbox Ends --- --- Lmtp --- lmtp(248): Info: Connect from 172.17.0.1 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: auth-master: userdb lookup(someone at example.com): Started userdb lookup lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=143,uid=0): Client connected (fd=18) imap(someone at example.com)<247><WlggG8PxEOvAqDEB>: Debug: Mailbox Sent: Purging (new file_seq=1673195172): creating cache imap(someone at example.com)<247><WlggG8PxEOvAqDEB>: Debug: Mailbox Sent: Purging finished, file_seq changed 0 -> 1673195172, size=0 -> 388, max_uid=0 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: auth-master: userdb lookup(someone at example.com): auth USER input: someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: auth-master: userdb lookup(someone at example.com): Finished userdb lookup (username=someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2) lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K imap(someone at example.com)<247><WlggG8PxEOvAqDEB>: Debug: duplicate db: Initialize lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg=imap(someone at example.com)<247><WlggG8PxEOvAqDEB>: Debug: sieve: Pigeonhole version 0.5.19 (4eae2f79) initializing lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_save_version=2 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Added userdb setting: plugin/quota_rule=*:bytes=1024000000 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Quota root: name=User quota backend=maildir argslmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Quota rule: root=User quota mailbox=* bytes=1024000000 messages=0 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Quota rule: root=User quota mailbox=Trash bytes=+104857600 messages=0 lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Quota warning: bytes=921600000 (90%) messages=0 reverse=no command=quota-warning 90 someone at example.com example.com lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Quota warning: bytes=819200000 (80%) messages=0 reverse=no command=quota-warning 80 someone at example.com example.com lmtp(someone at example.com)<248><e2dcD6TuumP4AAAALzF/Qw>: Debug: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Quota grace: root=User quota bytes=102400000 (10%) lmtp(248): Error: lmtp-server: conn 172.17.0.1:6376 [1]: rcpt someone at example.com: Failed to initialize user: mail_crypt_plugin: mail_crypt_global_private_key: mail_crypt_global_private_key_password unset, no password to decrypt the key lmtp(248): Info: Disconnect from 172.17.0.1: Logged out (state=READY) --- Lmtp Ends --- -- Debug Logs Ends -- Thanks Baljeet Bhinder -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20230108/181ad028/attachment-0001.htm>
Aki Tuomi
2023-Jan-09 13:00 UTC
Dovecot - mail_crypt - lmtp-server - no password to decrypt the key
> On 08/01/2023 18:55 EET Baljeet Bhinder <contact at baljeetbhinder.ca> wrote: > > > I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin lately. I tried what is describe here https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ and I went for global-keys as described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys > "A good solution for environments where no user folder sharing is needed is to generate per-user EC key pair and encrypt that with something derived from user?s password." > > I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key" As you can see below in logs that it was able to set all other mail_crypt_ configurations successfully from user_query. However, the password is provided via password_query and I assume lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach correct to begin with?Hi! Problem with user-password derivation is that what you've ran into. Some features, like quota or FTS, might need to access user's mail without being able to access the password, because it's not available. If you run into these, the only thing you can do is to not use conflicting features. Using user's password as the encryption key is very tricky thing to get working right.> > Thanks > Baljeet Bhinder >Regards, Aki
contact at baljeetbhinder.ca
2023-Jan-09 15:01 UTC
Dovecot - mail_crypt - lmtp-server - no password to decrypt the key
Thanks for the heads up about plugins Aki. I have disabled quota and sieve plugins and I don't think I have enabled fts. (if it is enabled by default, can you point me to configuration about how to disable it? I have tried this https://doc.dovecot.org/configuration_manual/fts/ and not able to find a flag to turn off.) But the error seems to persist. ---- Dovecot Configs ---- # 2.3.19.1 (9b53102964): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: Linux 5.15.0-57-generic x86_64 Ubuntu 20.04.5 LTS # Hostname: mailserver-dovecot-7c9ff7b94b-h4r8m auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = yes debug_log_path = /dev/stdout haproxy_trusted_networks = 192.168.0.0/16 10.10.10.0/24 10.10.30.0/24 172.17.0.1/16 hostname = imap.mailserver.k8s.local pop.mailserver.k8s.local info_log_path = /dev/stdout listen = * log_path = /dev/stdout mail_debug = yes mail_gid = 1000 mail_home = /var/vmail/mailboxes/%d/%n mail_location = maildir:~/:LAYOUT=fs mail_plugins = mail_crypt mail_privileged_group = mail mail_uid = 1000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve imapsieve_mailbox1_causes = COPY APPEND FLAG imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve imapsieve_mailbox2_causes = COPY APPEND FLAG imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_crypt_save_version = 0 quota = maildir:User quota quota_exceeded_message = User %u has exhausted allowed storage space. quota_rule = Junk:ignore quota_rule2 = Trash:storage=+100M quota_warning = storage=90%% quota-warning 90 %u %d quota_warning2 = storage=80%% quota-warning 80 %u %d sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /var/vmail/sieve/global/spam-global.sieve sieve_global = /var/vmail/sieve/global/ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.debug sieve_pipe_bin_dir = /var/vmail/sieve/global sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = " imap lmtp sieve pop3" service auth { inet_listener { port = 25252 } } service imap-login { inet_listener imap { haproxy = yes } inet_listener imaps { haproxy = yes ssl = yes } } service lmtp { executable = lmtp -L inet_listener lmtp { address = 0.0.0.0 port = 24 } } service managesieve-login { inet_listener sieve { port = 4190 } } service pop3-login { inet_listener pop3 { haproxy = yes } inet_listener pop3s { haproxy = yes } } ssl = required ssl_cert = </etc/dovecot/certs/tls.crt ssl_client_ca_dir = /etc/ssl/certs ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { info_log_path = /dev/stdout log_path = /dev/stdout mail_plugins = mail_crypt postmaster_address = contact at baljeetbhinder.ca } protocol imap { mail_plugins = mail_crypt quota imap_quota imap_sieve } ---- Dovecot Configs Ends ---- ---- Lmtp Log ---- lmtp(273): Info: Connect from 172.17.0.1 lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Started userdb lookup lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=144,uid=0): Client connected (fd=18) lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): auth USER input: someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2 lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Finished userdb lookup (username=someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2) lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg=lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_save_version=2 lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Added userdb setting: plugin/quota_rule=*:bytes=1024000000 lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone lmtp(someone at example.com)<273><e0AjL8EovGMRAQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: mail_crypt_plugin: mail_crypt_curve setting missing - generating EC keys disabled lmtp(273): Error: lmtp-server: conn 172.17.0.1:62376 [1]: rcpt someone at example.com: Failed to initialize user: mail_crypt_plugin: mail_crypt_global_private_key: mail_crypt_global_private_key_password unset, no password to decrypt the key lmtp(273): Info: Disconnect from 172.17.0.1: Logged out (state=READY) ---- Lmtp Log Ends ---- How can I tell which plugin is conflicting here? January 9, 2023 6:00 AM, "Aki Tuomi" <aki.tuomi at open-xchange.com> wrote:>> On 08/01/2023 18:55 EET Baljeet Bhinder <contact at baljeetbhinder.ca> wrote: >> >> I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin >> lately. I tried what is describe here >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin and I went for global-keys as >> described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys >> "A good solution for environments where no user folder sharing is needed is to generate per-user EC >> key pair and encrypt that with something derived from user?s password." >> >> I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version >> from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt >> seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but >> lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key" >> As you can see below in logs that it was able to set all other mail_crypt_ configurations >> successfully from user_query. However, the password is provided via password_query and I assume >> lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach >> correct to begin with? > > Hi! > > Problem with user-password derivation is that what you've ran into. Some features, like quota or > FTS, might need to access user's mail without being able to access the password, because it's not > available. > > If you run into these, the only thing you can do is to not use conflicting features. Using user's > password as the encryption key is very tricky thing to get working right. > >> Thanks >> Baljeet Bhinder > > Regards, > Aki
Baljeet Bhinder
2023-Jan-09 15:15 UTC
Dovecot - mail_crypt - lmtp-server - no password to decrypt the key
Not sure if that helps in finding conflicting plugin, but here is the success log that saves an unencrypted mail (after disabling mail_crypt). ---- Lmtp Log ---- lmtp(314): Info: Connect from 172.17.0.1 lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Started userdb lookup lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb (pid=144,uid=0): Client connected (fd=18) lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): auth USER input: someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2 lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: auth-master: userdb lookup(someone at example.com): Finished userdb lookup (username=someone at example.com quota_rule=*:bytes=1024000000 mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg== mail_crypt_save_version=2) lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_private_key=LS0tLS1CRUd.....LS0tLS0K lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_global_public_key=LS0tLS1CRUd.....LS0tCg=lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/mail_crypt_save_version=2 lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Added userdb setting: plugin/quota_rule=*:bytes=1024000000 lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Effective uid=1000, gid=1000, home=/var/vmail/mailboxes/example.com/someone lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/:LAYOUT=fs lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: fs: root=/var/vmail/mailboxes/example.com/someone, index=, indexpvt=, control=, inbox=/var/vmail/mailboxes/example.com/someone, altlmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: Mailbox INBOX: Mailbox opened lmtp(someone at example.com)<314><FL0GDhguvGM6AQAAR5uF9w>: Info: msgid=<4e6b1652-8a1f-892f-af09-b9447dbbfcfd at example.com>: saved mail to INBOX lmtp(314): Debug: lmtp-server: conn 172.17.0.1:5237 [1]: rcpt someone at example.com: User session is finished lmtp(314): Info: Disconnect from 172.17.0.1: Logged out (state=READY) ---- Lmtp Log Ends ---- January 9, 2023 6:00 AM, "Aki Tuomi" <aki.tuomi at open-xchange.com> wrote:>> On 08/01/2023 18:55 EET Baljeet Bhinder <contact at baljeetbhinder.ca> wrote: >> >> I have been using postfix+dovecot successfully for a while now until I tried mail crypt plugin >> lately. I tried what is describe here >> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin and I went for global-keys as >> described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys >> "A good solution for environments where no user folder sharing is needed is to generate per-user EC >> key pair and encrypt that with something derived from user?s password." >> >> I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version >> from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt >> seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but >> lmtp complains about "mail_crypt_global_private_key_password unset, no password to decrypt the key" >> As you can see below in logs that it was able to set all other mail_crypt_ configurations >> successfully from user_query. However, the password is provided via password_query and I assume >> lmtp does not read password_query. How else can I provide a password in lmtp? Is my approach >> correct to begin with? > > Hi! > > Problem with user-password derivation is that what you've ran into. Some features, like quota or > FTS, might need to access user's mail without being able to access the password, because it's not > available. > > If you run into these, the only thing you can do is to not use conflicting features. Using user's > password as the encryption key is very tricky thing to get working right. > >> Thanks >> Baljeet Bhinder > > Regards, > AkiThanks, Baljeet Bhinder