> On 19 May 2018 at 16:40 [email protected] wrote: > > > May 18, 2018 10:01 PM, "Aki Tuomi" <[email protected]> wrote: > >> On 18 May 2018 at 21:44 [email protected] wrote: > >> > >> May 18, 2018 4:43 PM, "Aki Tuomi" <[email protected]> wrote: > >> On 18 May 2018 at 17:38 [email protected] wrote: > >> > >> May 18, 2018 4:05 PM, "Aki Tuomi" <[email protected]> wrote: > >> On 18 May 2018 at 16:43 [email protected] wrote: > >> > >> Hi Tai74 and Aki, > >> I followed your conversation with interest on how to setup per user > >> encryption in dovecot. > >> I have setup my dovecot with the following in a conf file: > >> > >> ============== > >> > >> mail_attribute_dict = file:%h/Maildir/dovecot-attributes > >> mail_plugins = $mail_plugins mail_crypt > >> plugin { > >> > >> mail_crypt_curve = secp521r1 > >> > >> mail_crypt_save_version = 2 > >> > >> } > >> > >> ============== > >> > >> This works nice, all emails are being encrypted and every user/folder has > >> keys. > >> But as I understood from your conversation these keys are not protected. > >> And I want them to be > >> protected by the users password used by imap. > >> > >> Those passwords are stored in a mysql DB file. ( I used a guide from > >> workaround [dot] org to set up > >> the DB and postfix/dovecot) > >> > >> but how would i set it so, that the users password from the DB is used to > >> encrypt the keys? > >> > >> should i use mail_crypt_private_password = ? > >> how do i point it to the mysql db then? > >> im unsure about this > >> > >> Do you have any hints on this? > >> > >> Kind regards, > >> Zjemm > >> > >> The passwords in your MySQL database are, hopefully, not in plaintext. If > >> you want to secure your > >> user's keys using user's login password, you must have a TOOL that manages > >> this. > >> > >> You can use mail_crypt_private_password = %w in (mysql) passdb fields to > >> provide the user's login > >> password as private password. You might want to run it thru some hash, so > >> %{sha1:password} might be > >> a good option. > >> > >> You can change the key password using 'doveadm mailbox cryptokey', this > >> needs to be done every time > >> user changes his password. > >> > >> Also note that if you go down this road, and the user forgets his > >> password, you will not be able to > >> recover the emails without backup copy of the private key. > >> > >> Aki > >> > >> Hi Aki > >> > >> I used the following command: > >> dovecot pw -s SHA256-CRYPT > >> > >> the output on the chosen password looks like: > >> {SHA256-CRYPT}$5$Rokc06a7In4SF3bO$OQpGQWqg........ > >> > >> This output is used to store in the password fields in the database. So no > >> plain text passwords no > >> :) > >> > >> You can use mail_crypt_private_password = %w in (mysql) passdb fields to > >> provide the user's login > >> password as private password. > >> > >> can you explain this a bit more for me? > >> > >> for now i have in the 10-auth.conf file the following: > >> ============== > >> passdb { > >> driver = sql > >> > >> # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext > >> args = /etc/dovecot/dovecot-sql.conf.ext > >> } > >> > >> and: > >> > >> userdb { > >> driver = static > >> args = uid=vmail gid=vmail home=/var/vmail/%d/%n > >> } > >> ============== > >> > >> then i have in dovecot-sql.conf.ext > >> ============== > >> driver = mysql > >> connect = host=x.x.x.x dbname=mailserver user=mailuser > >> password=mailpasswordexample > >> default_pass_scheme = SHA256-CRYPT > >> password_query = SELECT email as user, password FROM virtual_users WHERE > >> email='%u'; > >> ============== > >> Where do i need to set : mail_crypt_private_password = %w ? > >> > >> password as private password. You might want to run it thru some hash, so > >> %{sha1:password} might be > >> a good option. > >> > >> the passwords are allready hashed in the DB using: dovecot pw -s > >> SHA256-CRYPT to genereate the has. > >> so this step isnt nesesary anymore am i right? > >> > >> Thank you for your quick response, very helpfull > >> > >> Zjemm > >> > >> You misunderstood a bit. The idea is to use the *plaintext* password as > >> the password for the > >> private key. Otherwise anyone could just decrypt it by looking at your > >> database where the hashed > >> password is.. > >> > >> So: > >> > >> password_query = SELECT email as user, password, '%w' AS > >> userdb_mail_crypt_private_password FROM > >> virtual_users WHERE email='%u' > >> > >> Aki > >> > >> Hi Aki, > >> > >> Thank you very much for your help, i realy appreciate that. > >> > >> Ok so if i understand it correctly i'll have to use: > >> > >> password_query = SELECT email as user, password, '%w' AS > >> userdb_mail_crypt_private_password FROM > >> virtual_users WHERE email='%u' > >> > >> in my dovecot-sql.conf.ext file > >> > >> This query selects the user, the password, and %w > >> > >> if i run a little query myself: > >> MariaDB [mailserver]> SELECT email as user, password, '%w' AS > >> userdb_mail_crypt_private_password > >> FROM virtual_users; > >> +------------------+----------------------------------+------------------------------------+ > >> | user | password | userdb_mail_crypt_private_password | > >> +------------------+----------------------------------+------------------------------------+ > >> | [email protected] | {SHA256-CRYPT}$5$M/GWzmtjsLroRWI | %w | > >> +------------------+----------------------------------+------------------------------------+ > >> > >> %w is a dovecot variable, and stands for the plaintext password, but the > >> password is not stored as > >> plaintext in the DB, %w get filled with the actual plaintext password by > >> dovecot upon the user that > >> is typing in the password when authenticating. > >> > >> is this correct? > > > > yes. > > > >> so then i have the username the hashed password en the plaintext password > >> as a result of the query. > > > > yes > > > >> now userdb_mail_crypt_private_password = the plaintext password > >> do i need to reference it somewhere? or is > >> userdb_mail_crypt_private_password autmatically used by > >> the dovecot mail_crypt plugin to encrypt the keys? or should it be > >> mail_crypt_private_password? > > > > It gets injected into the mail process as 'mail_crypt_private_password', as > > if it was set in plugin > > {} section. > > > >> if i have this setup working i'm going to write a blog post on this topic > >> to share this knowledge > >> > >> Thanks again and have a great weekend. > >> > >> Zjemm > > > > Aki > > Hi Aki, > > Cool i'm testing it right now. > I have set up a new mailserver (life is great with lxc containers :) ) > > postfix and dovecot are working like normal > > next i enable mail_crypt > > i did create a file: /etc/dovecot/conf.d/10-mailcrypt.conf > ========================== > mail_attribute_dict = file:%h/Maildir/dovecot-attributes > > mail_plugins = $mail_plugins mail_crypt > > plugin { > mail_crypt_curve = secp521r1 > mail_crypt_save_version = 2 > } > ========================== > > and then i changed the file: /etc/dovecot/dovecot-sql.conf.ext > > so the query is now the new query: > password_query = SELECT email as user, password, '%w' AS > userdb_mail_crypt_private_password FROM virtual_users WHERE email='%u'; > > then i restarted dovecot and postfix and send a test email to the one and > only testuser that is in there. > > when i open the mailbox with the tool mutt, i can see the new email, and when > openening the email the mutt client drops the connection. > > in the log i can see: > > May 19 13:34:48 mailserver1.example.local dovecot[600]: imap-login: Login: > user=<[email protected]>, method=PLAIN, rip=::1, lip=::1, mpid=713, TLS, > session=<E3PnIY9sNM4AAAAAAAAAAAAAAAAAAAAB> > May 19 13:34:49 mailserver1.example.local dovecot[600]: > imap([email protected]): Error: read() failed: > read(/var/vmail/example.org/john/Maildir/cur/1526736378.M161472P641.mailserver1.example.local,S=559,W=571:2,) > failed: Private key not available: Cannot decrypt key > bfc5bb25b1bf64290eea6dc14b516c6a0a25b64551b6e4f0f8677ba7274887cb: > error:03070068:bignum routines:BN_mpi2bn:encoding error (FETCH BODY[] for > mailbox INBOX UID 8) > > > i think i missed a step, but witch one? > > the userpassword hasnt been changed (that would be the next step in the > testing process) > > should i've use doveadm first to encrypt the key with that userpassword? i > thought it would do that on the fly, because the initial keys where only just > created when enabling the mail_crypt plugin > > please let me know your thougts > Zjemm
I noticed you replied directly to me, and not to the list, too... fixed that for you. mail_crypt_private_password is used when key is created, but if you have created it before using password, you'll need to encrypt it before turning the setting on. Aki
