Martin Stenzel
2023-Apr-10 12:37 UTC
https://www.mail-archive.com/dovecot@dovecot.org/msg77000.html
Hi team,
regarding:
https://www.mail-archive.com/dovecot at dovecot.org/msg77000.html
I have the very same problem.
terve:/tmp #decrypt.rb -k /etc/dovecot/mailcrypt/ecpubkey.pem -f
./1681118363....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S
Key(s) (total: 1)
?- Key type ?: EC
?- Key digest: a27b201cf7f59f...
?- Peer key ?: 04aaca0143208904deced2732aaa...
?- Encrypted : 4cde641bff16098b91bfaf66...
?- Kd hash ??: 9e229ec6c0...
terve:/tmp #decrypt.rb -k /etc/dovecot/mailcrypt/ecprivkey.pem -f
./16811....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S
Key(s) (total: 1)
?- Key type ?: EC
?- Key digest: a27b201cf7f59f978bb9b27947f60a9...
?- Peer key ?: 04aaca0143208904deced2732aaaf127...
?- Encrypted : 4cde641bff16098b91bfaf66c9...
?- Kd hash ??: 9e229ec6c09...
terve:/tmp #decrypt.rb -i -k /etc/dovecot/mailcrypt/ecprivkey.pem -f
./1681118...terve.xy-space.de\,S\=3452\,W\=3515\:2
\,S
Version ??????: 2
Flags ????????: AEAD integrity
Header length : 255
Cipher algo ??: aes-256-gcm (2.16.840.1.101.3.4.1.46)
Digest algo ??: sha256 (2.16.840.1.101.3.4.2.1)
Key derivation
?- Rounds ???: 2048
...
N. B. Before posting I arbitrarily removed numbers from the output,
maybe paranoid...
Environment:
openSuSE Linux server.
dovecot version 2.3.20
openssl version 1.1.1
ruby version 3.1.2p20
decrypt.rb version
https://gist.github.com/cmouse/882f2e2a60c1e49b7d343f5a6a2721de
This is the way I generated the keys:
openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
This is the 10-mailcrypt.conf:
mail_plugins = $mail_plugins mail_crypt
plugin {
???#fts_index_fs =
crypt:set_prefix=fscrypt_index:posix:set_prefix=/tmp/fts
???mail_crypt_global_private_key = </etc/dovecot/mailcrypt/ecprivkey.pem
???mail_crypt_global_public_key = </etc/dovecot/mailcrypt/ecpubkey.pem
???mail_crypt_save_version = 2
}
Encryption of incoming (thanks to dovecot-lda), as well as outgoing
mails works perfectly.
But for me it is more a feature than a bug, since now, even as root I am
not able to decrypt users mails.
This serves plausible deniability.
But how can I make sure, that NOBODY ELSE can decrypt with this specific
private key?
Is there ANY OTHER way to decrypt the mails besides the script?
Have a nice Monday, and THANKS for taking your time!
Martin, Cologne
P. S. Did you notice, that as an argument (-k) the results are the same,
both with private and public key?
P.P.S. If i give the "-w" argument and a file name, the file remains
empty, tried even that without success.
P.P.P.S. If I call the script with ruby version 2 it bails out...
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20230410/44bd3a2b/attachment.htm>
William Edwards
2023-Apr-10 18:03 UTC
https://www.mail-archive.com/dovecot@dovecot.org/msg77000.html
> Op 10 apr. 2023 om 18:40 heeft Martin Stenzel <stenzel at bw-host.de> het volgende geschreven: > > ? > Hi team, > > regarding: > > https://www.mail-archive.com/dovecot at dovecot.org/msg77000.html > > > > I have the very same problem. > > > > terve:/tmp # decrypt.rb -k /etc/dovecot/mailcrypt/ecpubkey.pem -f ./1681118363....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S > > Key(s) (total: 1) > - Key type : EC > - Key digest: a27b201cf7f59f... > - Peer key : 04aaca0143208904deced2732aaa... > - Encrypted : 4cde641bff16098b91bfaf66... > - Kd hash : 9e229ec6c0... > terve:/tmp # decrypt.rb -k /etc/dovecot/mailcrypt/ecprivkey.pem -f ./16811....terve.xy-space.de\,S\=3452\,W\=3515\:2\,S > > > Key(s) (total: 1) > - Key type : EC > - Key digest: a27b201cf7f59f978bb9b27947f60a9... > - Peer key : 04aaca0143208904deced2732aaaf127... > - Encrypted : 4cde641bff16098b91bfaf66c9... > - Kd hash : 9e229ec6c09... > > > terve:/tmp # decrypt.rb -i -k /etc/dovecot/mailcrypt/ecprivkey.pem -f ./1681118...terve.xy-space.de\,S\=3452\,W\=3515\:2 > \,S > Version : 2 > Flags : AEAD integrity > Header length : 255 > Cipher algo : aes-256-gcm (2.16.840.1.101.3.4.1.46) > Digest algo : sha256 (2.16.840.1.101.3.4.2.1) > > Key derivation > - Rounds : 2048 > > ... > > > N. B. Before posting I arbitrarily removed numbers from the output, maybe paranoid... >Why?> > Environment: > > openSuSE Linux server. > > dovecot version 2.3.20 > > openssl version 1.1.1 > > ruby version 3.1.2p20 > > decrypt.rb version https://gist.github.com/cmouse/882f2e2a60c1e49b7d343f5a6a2721de > > > > This is the way I generated the keys: > > openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem > openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem > > > This is the 10-mailcrypt.conf: > > mail_plugins = $mail_plugins mail_crypt > > plugin { > #fts_index_fs = crypt:set_prefix=fscrypt_index:posix:set_prefix=/tmp/fts > mail_crypt_global_private_key = </etc/dovecot/mailcrypt/ecprivkey.pem > mail_crypt_global_public_key = </etc/dovecot/mailcrypt/ecpubkey.pem > mail_crypt_save_version = 2 > } > > > Encryption of incoming (thanks to dovecot-lda), as well as outgoing mails works perfectly. > > > > But for me it is more a feature than a bug, since now, even as root I am not able to decrypt users mails. > > This serves plausible deniability. > > > > But how can I make sure, that NOBODY ELSE can decrypt with this specific private key? > > Is there ANY OTHER way to decrypt the mails besides the script? > > > > Have a nice Monday, and THANKS for taking your time! > > Martin, Cologne > > > > P. S. Did you notice, that as an argument (-k) the results are the same, both with private and public key? > > P.P.S. If i give the "-w" argument and a file name, the file remains empty, tried even that without success. > > P.P.P.S. If I call the script with ruby version 2 it bails out... > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20230410/4bdc4b46/attachment.htm>
Aki Tuomi
2023-Apr-11 06:03 UTC
https://www.mail-archive.com/dovecot@dovecot.org/msg77000.html
> On 10/04/2023 15:37 EEST Martin Stenzel <stenzel at bw-host.de> wrote: > > > Hi team, > regarding: > https://www.mail-archive.com/dovecot at dovecot.org/msg77000.html > > > I have the very same problem. > ><snip/> Hi! It seems that the ruby openssl module interface has changed slightly, I'll look into it. We might as well move it to https://github.com/dovecot/tools while at it. For what it's worth, it works with ruby2.7 for me. The reason it looks the same with -k pub and priv, is that the key does not match, so it just tells you what key to expect. I'll make the output bit more verbose about this too. Aki> Have a nice Monday, and THANKS for taking your time! > > Martin, Cologne > > > > P. S. Did you notice, that as an argument (-k) the results are the same, both with private and public key? > P.P.S. If i give the "-w" argument and a file name, the file remains empty, tried even that without success. > > P.P.P.S. If I call the script with ruby version 2 it bails out... > >