> On 05/05/2023 14:57 EEST efeizbu...@disroot.org wrote: > > > On 2023-05-05 14:29, efeizbudak--- via dovecot wrote: > > On 2023-05-05 09:09, Aki Tuomi via dovecot wrote: > >>> On 05/05/2023 05:49 EEST efeizbudak--- via dovecot > >>> <dovecot@dovecot.org> wrote: > >>> > >>> > >> > >> > >>> > try > >>> > > >>> > doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox > >>> > cryptokey generate -U -u dmarc > >>> > > >>> > maybe it works? > >>> > > >>> > Aki > >>> This gives the same error as the above that starts with > >>> > >>> doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) > >>> failed: > >>> mail_crypt_require_encrypted_user_key set, cannot generate user > >>> keypair > >>> without password or key > >> > >> Ok, since this is getting too annoying I tested out that > >> > >> doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey > >> generate -u dmarc -U > >> > >> at least works for me with that setting. > >> > >> I've made an issue of this, because it's not supposed to work like > >> this. Although it can end up as documentation task. > >> > >> Aki > > That worked! Thank you!! > Sorry, I've missed one important part. After running this command and > creating the keys, the emails are now received fine on the account but > how can I actually read them? I've tried to log into the account using > something like > > mutt -f imap://dm...@domain.com/Inbox > > but the login fails I guess because the user has keys but no password to > login. How can I decrypt the mail on this account using the generated > keys? I've also tried > > doveadm fetch -u dmarc "text" MAILBOX INBOX UNSEEN > > which gives me an error about password not being available.
Well yes. There have been so many threads on this on the mailing list so I'll just summarize it here: If you are going to use per-user-passwords, you need to hash them. In config, you need to export this in passdb. Otherwise it will never end up in plugin environment. Hash them to avoid certain characters making a mess and also to make it more secure. You **must** either make your users to log in to to Dovecot before receiving email, **or** include cryptokey management in your provisioning workflow. Remember to hash the password when providing it over -o plugin/mail_crypt_private_password. Dovecot has no facility to ask the password over IMAP when you try to read the mail. Doing per-user-password encryption is difficult to get right. Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
