search for: mail_crypt_global_private_key

...eys as described here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/#global-keys /"A good solution for environments where no user folder sharing is needed is to generate per-user EC key pair and encrypt that with something derived from user?s password."/ I am setting mail_crypt_global_private_key, mail_crypt_global_public_key, mail_crypt_save_version from user_query and userdb_mail_crypt_global_private_key_password from password_query. mail_crypt seems to work fine in imap (I saved a message as draft and it is stored encrypted on the disk), but lmtp complains about "mail_crypt_glo...

> Wiadomo?? napisana przez Aki Tuomi <aki.tuomi at dovecot.fi> w dniu 06.11.2017, o godz. 08:44: > > On 04.11.2017 20:52, Zbyszek ???kiewski wrote: >> Hi, >> >> I have few questions regarding mail_crypt: >> >> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors > It can be given from con...

...ana przez Aki Tuomi <aki.tuomi at dovecot.fi> w dniu 06.11.2017, o godz. 08:44: >>> >>> On 04.11.2017 20:52, Zbyszek ???kiewski wrote: >>>> Hi, >>>> >>>> I have few questions regarding mail_crypt: >>>> >>>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors >>> It can be given...

Hi, I have few questions regarding mail_crypt: 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors 2) Is there planned any ?rol...

...gt;> using it the way it's intended to be used, but maybe I'm not?! >> -Dave > > Hi! > Maybe the key you tried was not used to encrypt the file? > Aki Aki, it's the same key I've used in the config for the mail_crypt plugin in 90-plugin.conf: plugin { ? mail_crypt_global_private_key = <[PATH_TO_PRIVATE_KEY] ? mail_crypt_global_public_key = <[PATH_TO_PUBLIC_KEY] ? mail_crypt_save_version = 2 } That's the private key that's encrypting all of the messages successfully, so that's the one I would use with script, correct? -Dave

...: > >> Wiadomo?? napisana przez Aki Tuomi <aki.tuomi at dovecot.fi> w dniu 06.11.2017, o godz. 08:44: >> >> On 04.11.2017 20:52, Zbyszek ???kiewski wrote: >>> Hi, >>> >>> I have few questions regarding mail_crypt: >>> >>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors >> It can be given from...

...t some of our administrative operations require access to Maildir messages in plaintext. I've found numerous threads detailing help with mail_crypt setup, but none of my research has yielded a method of decrypting the stored messages. Relevant plugin config: mail_crypt_curve = prime256v1 mail_crypt_global_private_key = <pirvkey> mail_crypt_global_public_key = <pubkey> mail_crypt_save_version = 2 Method I attempted for manual decryption is listed below: openssl pkeyutl -derive -inkey mailcrypt.key -peerkey mailcrypt.pub -out shared_secret.bin openssl enc -aes256 -base64 -k $(base64 shared_secre...

I read the mailcrypt plugin document on the wiki and had couple questions. 1. If I want per-user encryption am I correct I should configure global keys with all related settings override in the userdb lookup? 2. If I do not want to encrypt some user accounts, is it enough to omit the mail_crypt_global_private_key from the userdb lookup? In other word, mail_plugins still active with mail_crypt, will that cause user account to be encrypted unexpectedly if no private key is given? 3. Example command to create EC key does not ask for password, openssl ecparam command does not seem to have password arg. If I...

Dovecot version: 2.2.22 (fe789d2) I generated an EC key from the page https://wiki2.dovecot.org/Plugins/. For reference here's my /etc/dovecot/conf.d/10-mail-crypt.conf file: ---- mail_plugins = $mail_plugins mail_crypt plugin { # mail_crypt_global_private_key = </etc/dovecot/ecprivkey.pem mail_crypt_global_public_key = </etc/dovecot/ecpubkey.pem mail_crypt_save_version = 2 } ---- I saw in a previous message on this mailing list that messages can be encrypted without the private key, so it's stored elsewhere. :-) After restarting dov...

...t up the mail-crypt plugin to encrypt all incoming and outgoing emails. Outgoing emails seem to get encrypted fine but the incoming ones don't. We tried everything including this config: mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_global_private_key = <ecprivkey.pem mail_crypt_global_public_key = <ecpubkey.pem mail_crypt_save_version = 2 } also this one: plugin { mail_crypt_curve = prime256v1 mail_crypt_save_version = 2 } but to no avail. There are no visible errors, Dovecot restarts fine and outgoing emails get encrypte...

On 04.11.2017 20:52, Zbyszek ???kiewski wrote: > Hi, > > I have few questions regarding mail_crypt: > > 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors It can be given from config f...

...seems that mail-crypt needs both a private and a public key to work. Is this correct? - If mail-crypt has both private and public key in its configuration, does that not defeat the purpose of the whole thing? Anyone with access to the disk will be able to read everything? Regarding the settings: mail_crypt_global_private_key(_n) - Private key to decrypt files, you can specify many mail_crypt_global_public_key - Public key to use to encrypt files, you can specify one - How does this work? What does mail-crypt do when multiple private keys are specified? mail_crypt_private_key - Private key to decrypt user's master...

Per the Dovecot site here: https://wiki.dovecot.org/Plugins/MailCrypt ... the "decrypt.rb" ruby script can be used to decrypt a Dovecot-encrypted message file from the command line.? The script sort of runs successfully for me, in the sense that it doesn't error out, but it doesn't show the decrypted message. I've called it like so: decrypt.rb -k

...be used, but maybe I'm not?! > >> -Dave > > > > Hi! > > Maybe the key you tried was not used to encrypt the file? > > Aki > > Aki, it's the same key I've used in the config for the mail_crypt > plugin in 90-plugin.conf: > > plugin { > ? mail_crypt_global_private_key = <[PATH_TO_PRIVATE_KEY] > ? mail_crypt_global_public_key = <[PATH_TO_PUBLIC_KEY] > ? mail_crypt_save_version = 2 > } > > That's the private key that's encrypting all of the messages > successfully, so that's the one I would use with script, correct? > -Dave &...

Hi, I have setup up a simple mail server using the ISPMail tutorial and I'm trying to learn how to create email encryption at rest. I'm having a tough time understanding how to set this up... So say a user logins thru roundcube and they type in their password...so the password authenticates to the mysql database which is storing their encrypted private key?? And once they access that

...t up the mail-crypt plugin to encrypt all incoming and outgoing emails. Outgoing emails seem to get encrypted fine but the incoming ones don't. We tried everything including this config: mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_global_private_key = <ecprivkey.pem mail_crypt_global_public_key = <ecpubkey.pem mail_crypt_save_version = 2 } also this one: plugin { mail_crypt_curve = prime256v1 mail_crypt_save_version = 2 } but to no avail. There are no visible errors, Dovecot restarts fine and outgoing emails get encrypte...

...flags notify namespace inbox { inbox = yes location = mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = create special_use = \Sent } prefix = INBOX. separator = . type = private } passdb { driver = plesk } plugin { mail_crypt_global_private_key = <ecprivkey.pem mail_crypt_global_public_key = <ecpubkey.pem mail_crypt_save_version = 2 quota = maildir:User quota quota_grace = 0 sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_logo...

...am imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * last_login_dict = proxy::lastlogin last_login_key = # hidden, use -P to show it mail_crypt_curve = prime256v1 mail_crypt_global_private_key = # hidden, use -P to show it mail_crypt_global_public_key = # hidden, use -P to show it mail_crypt_save_version = 2 mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = count:User quota quota_exceeded_message = Storag...

...mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { driver = pam } plugin { acl = vfile mail_crypt_global_private_key = <### redacted ### mail_crypt_global_public_key = <### redacted ### mail_crypt_save_version = 2 stats_memory_limit = 16 M stats_refresh = 30 secs stats_track_cmds = yes } postmaster_address = ### redacted ### protocols = imap service auth { unix_listener /var/spool/postfix/...

...mespace inbox { inbox = yes location = prefix = separator = / type = private } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { mail_crypt_curve = prime256v1 mail_crypt_global_private_key = </etc/dovecot/eckey/ecprivkey.pem mail_crypt_global_public_key = </etc/dovecot/eckey/ecpubkey.pem mail_crypt_save_version = 2 recipient_delimiter = + sieve = /etc/dovecot/sieves/default.sieve sieve_default = /etc/dovecot/sieves/default.sieve sieve_dir = ~/sieve sieve_extension...